Create View Only User on Kubernetes Cluster

Create View Only User on Kubernetes Cluster

Mohamed ElEmam Mohamed ElEmam

Mohamed ElEmam

DevOps Manager | Platform Engineering & Digital Transformation | Kubernetes, OpenShift, CI/CD, GitOps, DevSecOps | Cloud Architect (AWS, Azure)

Published Dec 25, 2020
+ Follow

Create View Only User on Kubernetes Cluster

This is how to create view only user on all resources of k8s cluster

First: apply the below readonly.yml deployment and readonly-binding.yml deployment

Second: we will Create Certificate for View only user to access k8s cluster (our sample user named k8sview)

#create new directory

-mkdir k8sview

#Enter directory

-cd k8sview/


#generate private key with 2048 encreption (named k8sview.key)

-openssl genrsa -out k8sview.key 2048

 

#create CSR with subject (named k8sview.csr)

-openssl req -new -key k8sview.key -out k8sview.csr –subj "/CN= k8sview /O=Appsupport"

 

# generate certificate with the CSR and key we did from the k8s CA valid for 500 days (named k8sview.crt)

-openssl x509 -req -in k8sview.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out k8sview.crt -days 500

 

#configure the user config file

-kubectl config set-credentials k8sview --client-certificate=/home/ k8sview /.kube/chatbotview.crt --client-key=/home/ k8sview/.kube/k8sview.key


#setting the context

-kubectl config set-context k8sview -context --cluster=kubernetes --user= k8sview


#check config file

-kubectl config view


#export the config

-chown $(id -u):$(id -g) $HOME/.kube/config

-echo $KUBECONFIG

-export KUBECONFIG=$KUBECONFIG:$HOME/.kube/config

 

#validate the new user permission as it should be view only

-kubectl auth can-i delete deployments

-kubectl auth can-i create deployments

-kubectl auth can-i view deployments

-kubectl auth can-i list deployments

 

-----------------------------------------------------------------------

At the end we should remove the k8s admin info from the view user config file, eventually it will be looks like below

-----------------------------------------------------------------------

apiVersion: v1

clusters:

- cluster:

   certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01USXlOREV5TVRreU4xb1hEVE13TVRJeU1qRXlNVGt5TjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTWhOCjFNUkl2ZFNEU21HcDVBOVIrRExwYjdRS0YrZ0pNVGo4NVpWQjZQZFVjVks3VHNnQldNY2E2WUwybGJPd1c4QUQKclA1bU5wNklHOEFPRmx3S00yQzc4K21lQ3RDcDZUMmt6RVNaSlp0dGFxejJwdTQ0VUVtQzV2N2ZsYW9CZDlrKwpHajZPSjVqeXRlZWczeVFzUHdqQ201clA1TjJ6M24ya3FkVGxvbW51RkFleStERkhUVW5QQ3NJa3F4b0lQS2NTCkpmOXl0dEUzZGxyOHpxS201V05yQ0h3eklidndLaitReHBSMHdkRTFHU2pSV0JOck9jSVlyVHkrNGo2ejN1L1gKdU81dDZ5MmVrMFVOUVd6NFZlQmt2ZkxVS3RnUjN1SHdRdndOZmlOcitsaUhFeGlzL1lmTGdJQ2tvTGg1S2htQQp2UjlHMWN5RmxTSTJVdWRkK3dNQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZLSFpta3pwVFJSRVRTNTh4bThsZEk0aDFDRFRNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFBQTF2bkRzNnAzaG40bG9lSzkvUUR6dVg2aXFsWS9PWVNKVk80b2ZmVFBETTcrOC9BRwpIRDFHMm5WcGY3T0FVcGxMMkxyYmpDUVFWZWpwaFdYL0tuSjJ0U1hzNTZpaFFNcGVXSXZ6aTg5bk1VenZsNTBDCkpIaDBMYXdZRzRoUzVLSkhkV2kzUkVkK01yTVlmajFYTmFtdlFUS1MrUzZzamZSWnZ2U1ZKMmlSMjJwbGJ5bVAKWm84SUp6OHVZYU9IRFM5Nk0waWQvcFVUMEtjOXpSOUcvbzM5d3dEUnUyaUdhYXRPSnZZWnhTRVFVTGhYMUh1SgpRbTdBeHNYeUoraXNWQS9SMGc5QXI4azNYTXVSSVRzWThPV0NpekhHYW9FSk9LK1d3M0dwSzFnNDc1aHdsMlJIClphQnlURXdVYTRPYTBURGtlSUZMcWd0RnVzMjBNSEo5OUdMZAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==

   server: https://172.17.67.21:6443

 name: kubernetes

contexts:

- context:

   cluster: kubernetes

   user: k8sview

 name: k8sview -context

current-context: k8sview -context

kind: Config

preferences: {}

users:

- name: k8sview

 user:

   client-certificate: /home/ k8sview /.kube/chatbotview.crt

   client-key: /home/ k8sview /.kube/ k8sview.key

----------------------------------------------------

readonly.yml

apiVersion: rbac.authorization.k8s.io/v1

kind: Role

metadata:

 name: cluster-readonly

rules:

- apiGroups: [""]

 resources: ["*"]

 verbs: ["view"]

 

readonly-binding.yml

kind: ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1

metadata:

 name: cluster-readonly-binding

subjects:

- kind: User

 name: k8sview

 namespace: "*"

 apiGroup: rbac.authorization.k8s.io

roleRef:

 kind: ClusterRole

 name: view

 apiGroup: rbac.authorization.k8s.io

To view or add a comment, sign in

More articles by this author

See all

Others also viewed

Explore topics