Minikube: Exemplo com Autenticação: Difference between revisions

From Wiki
No edit summary
No edit summary
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
EM RASCUNHO AINDA
1) Levantando o Minikube
1) Levantando o Minikube


Line 57: Line 59:
) Criando uma namespace
) Criando uma namespace


  kubectl create namespace lfs158
  kubectl create namespace ns-exemplo-autenticacao




Line 73: Line 75:


Resultado  
Resultado  
  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FUQ0NBVkVDQVFBd0pERVBNQTBHQTFVRUF3d0daV0poYzNOdk1SRXdEd1lEVlFRS0RBaGpiMjF3WV
  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FUQ0NBVkVDQVFBd0pERVBNQTBHQTFVRUF3d0daV0poYzNOdk1SRXdEd1lEVlFRS
  ...
  ...
  0YKcnFEOVB0T0UvVVRLRjB1U3h5cGlLaEs3a2VZNHNSdnJaUlBVVmdBRGx1NXp1aWRqajdnQmtBdzlJQ1dHCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  vVVRLRjB1U3h5cGlLaEs3a2VZNHNSdnJaUlBVVmdBRGx1NXp1aWRqajdnQmtBdzlJQ1dHCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=




<nowiki>
<nowiki>
cat > signing-request.yml << EOF
cat > signing-request.yml << EOF
apiVersion: certificates.k8s.io/v1beta1
apiVersion: certificates.k8s.io/v1beta1
Line 87: Line 89:
   groups:
   groups:
   - system:authenticated
   - system:authenticated
   request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FUQ0NBVkVDQVFBd0pERVBNQTBHQTFVRUF3d0daV0poYzNOdk1SRXdEd1lEVlFRS0RBaGpiMjF3WV
   request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FUQ0NBVkVDQVFBd0pERVBNQTBHQTFVRUF3d0daV0poYzNOdk1SRXdEd1lEVlF
           ...
           ...
           0YKcnFEOVB0T0UvVVRLRjB1U3h5cGlLaEs3a2VZNHNSdnJaUlBVVmdBRGx1NXp1aWRqajdnQmtBdzlJQ1dHCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
           vVVRLRjB1U3h5cGlLaEs3a2VZNHNSdnJaUlBVVmdBRGx1NXp1aWRqajdnQmtBdzlJQ1dHCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
   usages:
   usages:
   - digital signature
   - digital signature
Line 103: Line 105:




kubectl get csr
Resultado:
NAME        AGE    REQUESTOR      CONDITION
ebasso-csr  2m16s  minikube-user  '''Pending'''
)
kubectl certificate approve '''ebasso-csr'''
kubectl get csr
Resultado:
NAME        AGE    REQUESTOR      CONDITION
ebasso-csr  4m33s  minikube-user  '''Approved'''
)
kubectl get csr ebasso-csr -o jsonpath='{.status.certificate}'| base64 --decode > ebasso.crt
kubectl config set-credentials ebasso --client-certificate=ebasso.crt --client-key=key
kubectl get csr ebasso-csr -o jsonpath='{.status.certificate}'| base64 --decode > ebasso.crt
kubectl run nginx --image=nginx:apline -n ns-exemplo-autenticacao
)
<nowiki>
cat > role-binding.yml << EOF
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pod-read-access
  namespace: lfs
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
EOF
</nowiki>
kubectl create -f role-binding.yml
kubectl --context=ebasso-context get pods


= Ver também =
= Ver também =

Latest revision as of 01:16, 26 February 2019

EM RASCUNHO AINDA

1) Levantando o Minikube

minikube start --extra-config=controller-manager.ClusterSigningCertFile="/var/lib/localkube/certs/ca.crt" \
  --extra-config=controller-manager.ClusterSigningKeyFile="/var/lib/localkube/certs/ca.key" \
  --extra-config=apiserver.authorization-mode=RBAC

Resultado:

😄  minikube v0.34.1 on darwin (amd64)
💡  Tip: Use 'minikube start -p <name>' to create a new cluster, or 'minikube delete' to delete this one.
🏃  Re-using the currently running virtualbox VM for "minikube" ...
⌛  Waiting for SSH access ...
📶  "minikube" IP address is 192.168.99.100
🐳  Configuring Docker as the container runtime ...
✨  Preparing Kubernetes environment ...
    ▪ controller-manager.ClusterSigningCertFile=/var/lib/localkube/certs/ca.crt
    ▪ controller-manager.ClusterSigningKeyFile=/var/lib/localkube/certs/ca.key
    ▪ apiserver.authorization-mode=RBAC
🚜  Pulling images required by Kubernetes v1.13.3 ...
🔄  Relaunching Kubernetes v1.13.3 using kubeadm ...
⌛  Waiting for kube-proxy to come back up ...
🤔  Verifying component health .....
💗  kubectl is now configured to use "minikube"
🏄  Done! Thank you for using minikube!

2) Verificando a configuração, executando o comando:

kubectl config view

Resultado:

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /Users/ebasso/.minikube/ca.crt
    server: https://192.168.99.100:8443
  name: minikube
contexts:
- context:
    cluster: minikube
    user: minikube
  name: minikube
current-context: minikube
kind: Config
preferences: {}
users:
- name: minikube
  user:
    client-certificate: /Users/ebasso/.minikube/client.crt
    client-key: /Users/ebasso/.minikube/client.key


) Criando uma namespace

kubectl create namespace ns-exemplo-autenticacao


)

cd
mkdir .rbac
cd .rbac
openssl genrsa -out ebasso.key 2048
openssl req -new -key ebasso.key -out ebasso.csr -subj "/CN=ebasso/O=company"\n

)

cat ebasso.csr | base64 -

Resultado

LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FUQ0NBVkVDQVFBd0pERVBNQTBHQTFVRUF3d0daV0poYzNOdk1SRXdEd1lEVlFRS
...
vVVRLRjB1U3h5cGlLaEs3a2VZNHNSdnJaUlBVVmdBRGx1NXp1aWRqajdnQmtBdzlJQ1dHCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=


cat > signing-request.yml << EOF
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: ebasso-csr
spec:
  groups:
  - system:authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FUQ0NBVkVDQVFBd0pERVBNQTBHQTFVRUF3d0daV0poYzNOdk1SRXdEd1lEVlF
           ...
           vVVRLRjB1U3h5cGlLaEs3a2VZNHNSdnJaUlBVVmdBRGx1NXp1aWRqajdnQmtBdzlJQ1dHCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  usages:
  - digital signature
  - key encipherment
  - client auth
EOF

)

kubectl create -f signing-request.yml


kubectl get csr

Resultado:

NAME         AGE     REQUESTOR       CONDITION
ebasso-csr   2m16s   minikube-user   Pending

)

kubectl certificate approve ebasso-csr


kubectl get csr

Resultado:

NAME         AGE     REQUESTOR       CONDITION
ebasso-csr   4m33s   minikube-user   Approved

)

kubectl get csr ebasso-csr -o jsonpath='{.status.certificate}'| base64 --decode > ebasso.crt


kubectl config set-credentials ebasso --client-certificate=ebasso.crt --client-key=key


kubectl get csr ebasso-csr -o jsonpath='{.status.certificate}'| base64 --decode > ebasso.crt
kubectl run nginx --image=nginx:apline -n ns-exemplo-autenticacao

)

cat > role-binding.yml << EOF
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pod-read-access
  namespace: lfs
roleRef: 
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
EOF

kubectl create -f role-binding.yml
kubectl --context=ebasso-context get pods

Ver também