In this lab we will cover:
- Role and Rolebinding
- User mapping
Lab1: Role and Rolebinding
kubectl create -f role.yaml kubectl get roles kubectl describe role pod-reader
kubectl create -f rolebind.yaml kubectl get rolebindings kubectl describe rolebindings read-pods
Lab 2: Test with user
#role and role binding testing #Create a private key for your user. In this example, we will name the file employee.key: openssl genrsa -out employee.key 2048 #Create a certificate sign request employee.csr using the private key you just created (employee.key in this example). Make sure you specify your username and group in the -subj section openssl req -new -key employee.key -out employee.csr -subj "/CN=employee/O=test" #Generate the final certificate employee.crt by approving the certificate sign request, employee.csr, you made earlier. Make sure you substitute the CA_LOCATION placeholder with the location of your cluster CA. In this example, the certificate will be valid for 500 days: openssl x509 -req -in employee.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out employee.crt -days 500 kubectl config set-credentials employee --client-certificate=employee.crt --client-key=employee.key #Add a new context with the new credentials for your Kubernetes cluster. kubectl config set-context employee-context --cluster=kubernetes --namespace=default --user=employee kubectl config get-contexts kubectl config use-context employee-context kubectl get pods kubectl delete pods <pod name> #Change to admin kubectl config use-context kubernetes-admin@kubernetes
Lab 3: Clusterrole and Clusterrolebinding
kubectl create -f clusrole.yaml kubectl get clusterroles kubectl describe clusterroles secret-reader
kubectl create -f clusbinding.yaml kubectl get clusterrolebindings kubectl describe clusterrolebindings read-secrets-global