Shell scripts for help automating RBAC setup on test Kubernetes clusters
The primary purpose is to create:
- a service account
- a namespace
- RBAC rules that restrict the service account to only read/write to that namespace
- RBAC rules that let the service account read Node information
- a kubeconfig for the service account
$ ./create-restricted-namespace.sh [namespace]
Creates a kubeconfig with a token for authentication. Instructions on how to use the kubeconfig will be printed to stdout.
Real, production auth systems use short-lived tokens that need to be refreshed
periodically (e.g., aws-iam-authenticator). If you'd like to simulate that flow,
use the -e option to create a fake auth script with rotate-able tokens.
$ ./create-restricted-namespace.sh -e [namespace]
Instructions on how to rotate the token will be printed to stdout.
Verified working on
- Minikube
- KIND (Kubernetes IN Docker)
- Docker For Desktop (Docker for Mac)
- microk8s - with Microk8s 1.15+, when you run
microk8s.enable rbac
Won't work with:
- kubeadm-dind-cluster - Configured to use the insecure API endpoint by default
Thanks to:
- The Kubernetes RBAC documentation
- Kubernetes and RBAC: Restrict User Access to One Namespace by Jeremie Vallee
- Debugging help from Guillaume Rose
Copyright 2019 Windmill Engineering
Licensed under the Apache License, Version 2.0