echo '#cloud-config
runcmd:
- apt update --fix-missing
- snap refresh
- snap install microk8s --classic
- microk8s status --wait-ready
- microk8s enable dns ingress' > cloud-config-microk8s.yaml
multipass launch focal -n microk8s -c 2 -m 4G -d 10G --cloud-init cloud-config-microk8s.yaml
sudo mkdir -p $HOME/.kube/configs
multipass exec microk8s sudo microk8s config > $HOME/.kube/configs/config-microk8s
export KUBECONFIG=$HOME/.kube/configs/config-microk8s
chmod 0600 $KUBECONFIG
kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* microk8s microk8s-cluster admin
kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://<YOUR_IP>:16443
name: microk8s-cluster
contexts:
- context:
cluster: microk8s-cluster
user: admin
name: microk8s
current-context: microk8s
kind: Config
preferences: {}
users:
- name: admin
user:
token: REDACTED
kubectl config view | sed "s/DATA+OMITTED/\${CA}/" | sed "s/admin/user-\${USER_NAME}/" | sed "s/REDACTED/\${TOKEN}/"
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: ${CA}
server: https://<YOUR_IP>:16443
name: microk8s-cluster
contexts:
- context:
cluster: microk8s-cluster
user: user-${USER_NAME}
name: microk8s
current-context: microk8s
kind: Config
preferences: {}
users:
- name: user-${USER_NAME}
user:
token: ${TOKEN}
# Create service accounts with the users below.
echo 'fulano.user
sicrano.user
beltrano.user' > users.txt &&
for i in `cat users.txt` ; do kubectl create sa $i ; done &&
# Get access tokens for created service accounts.
sleep 10s ; for i in `cat users.txt` ; do kubectl get sa/$i -o jsonpath="{.secrets[0].name}" | { tr -d '\n'; echo; } >> tokens.txt ; done &&
# Use tokens to obtain access credentials and create individual cluster configuration files.
for i in `cat tokens.txt` ;
do export TOKEN_NAME=$i &&
CA=$(kubectl get secret/$TOKEN_NAME -o jsonpath='{.data.ca\.crt}') &&
TOKEN=$(kubectl get secret/$TOKEN_NAME -o jsonpath='{.data.token}' | base64 --decode) &&
USER_NAME=$(echo $TOKEN_NAME | cut -f 1 -d -) &&
echo "apiVersion: v1
clusters:
- cluster:
certificate-authority-data: ${CA}
server: https://<YOUR_IP>:16443
name: microk8s-cluster
contexts:
- context:
cluster: microk8s-cluster
user: user-${USER_NAME}
name: microk8s
current-context: microk8s
kind: Config
preferences: {}
users:
- name: user-${USER_NAME}
user:
token: ${TOKEN}" > config-$USER_NAME ;
done
This example generates a yaml for each user, in it we have the "Namespace", "ServiceAccount", "ClusterRole" and "ClusterRoleBinding".
-
Namespace: Mechanism for isolating cluster resource groups.
-
ServiceAccount: Provides an identity to access cluster resources.
-
ClusterRole: Provides access and permissions to access resources in the cluster.
-
ClusterRoleBinding: Provides the binding between ServiceAccount(the identity) and ClusterRole(the accesses and permissions).
for i in `cat users.txt` ;
do export USER_NAME=$i &&
echo "apiVersion: v1
items:
- apiVersion: v1
kind: Namespace
metadata:
name: default
- apiVersion: v1
kind: ServiceAccount
metadata:
name: ${USER_NAME}
namespace: default
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ${USER_NAME}
namespace: default
rules:
- apiGroups: ['*']
resources: ['*']
verbs: ['*']
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ${USER_NAME}
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ${USER_NAME}
subjects:
- kind: ServiceAccount
name: ${USER_NAME}
namespace: default
kind: List
metadata: {}" > microk8s-rbac-admin-$USER_NAME.yaml;
done
for i in `cat users.txt` ; do kubectl apply -f microk8s-rbac-admin-$i.yaml ; done
In this example, users have full access in their ClusterRole, if we wanted a rule for the "deployments" resource.
kubectl api-resources -o wide | grep "^deployments"
NAME SHORTNAMES APIVERSION NAMESPACED KIND VERBS
deployments deploy apps/v1 true Deployment [create delete deletecollection get list patch update watch]
The rule would be like this.
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ${USER_NAME}
namespace: default
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["create", "delete", "get", "list"]
Sources:
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
https://www.redhat.com/en/topics/containers/what-kubernetes-role-based-access-control-rbac