Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-09-19 15:56:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
c6eec7384b
constellation/dev-docs/howto/kubeconfigs.md
Markus Rudy 9101417ef8
dev-docs: howto generate kubeconfigs (#3047)
2024-04-26 14:58:38 +02:00

3.3 KiB
Raw Blame History

How to create kubeconfigs for users

One of the first things to do after setting up a Constellation cluster is to hand out kubeconfig files to its prospective users. Adhering to the principle of least privilege, it is not advisable to share the admin config with all cluster users. Instead, users should authenticate individually to the API server, and permissions should be controlled by RBAC.

Constellation users authenticate to the API server with a client TLS certificate, signed by the Kubernetes CA. The user's identity and group memberships are taken from the certificates common name and organizations, respectively. Details can be found in the upstream authn documentation.

The kubeadm documentation describes a process for creating new kubeconfigs, but the instructions requires access to a control-plane node, or at least the Kubernetes CA certificate and key. While the certificates can be extracted, e.g. by spawning a node debugger pod, we can take a safer road that only requires kubectl. The example script below creates a new kubeconfig for a user and optional group memberships. It uses the Kubernetes certificate API to obtain a user certificate signed by the cluster CA.

#!/bin/sh
set -eu

if [ $# -lt 2 ]; then
    echo "Usage: $0 username [groupname...]" >&2
    exit 1
fi

user=$1
shift

subj="/CN=${user}"
for g in "$@"; do
  subj="${subj}/O=$g"
done

openssl req -newkey rsa:4096 -out ${user}.csr -keyout ${user}.key -nodes -subj "${subj}"

kubectl apply -f - <<EOF
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: ${user}
spec:
  request: $(base64 -w0 ${user}.csr)
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - digital signature
  - key encipherment
  - client auth
EOF
kubectl certificate approve ${user}
kubectl wait --for=jsonpath='{.status.certificate}' csr/${user}
kubectl get csr ${user} -o jsonpath='{.status.certificate}' | base64 -d >${user}.pem
kubectl delete csr ${user}

kubectl get cm kube-root-ca.crt -o go-template='{{ index .data "ca.crt" }}' >ca.pem
kubectl get cm kubeadm-config -n kube-system -o=jsonpath="{.data.ClusterConfiguration}" >clusterconfig.yaml
cluster=$(yq .clusterName clusterconfig.yaml)
endpoint=$(yq .controlPlaneEndpoint clusterconfig.yaml)

cat >${user}.conf <<EOF
apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority-data: $(base64 -w0 ca.pem)
    server: https://${endpoint}
  name: ${cluster}
contexts:
- context:
    cluster: ${cluster}
    user: ${user}
  name: ${user}@${cluster}
current-context: ${user}@${cluster}
users:
- name: ${user}
  user:
    client-certificate-data: $(base64 -w0 ${user}.pem)
    client-key-data: $(base64 -w0 ${user}.key)
EOF

env KUBECONFIG=./${user}.conf kubectl auth whoami

rm ca.pem clusterconfig.yaml ${user}.csr ${user}.pem ${user}.key