Minikube: Exemplo com Autenticação: Difference between revisions
No edit summary |
No edit summary |
||
Line 136: | Line 136: | ||
) | ) | ||
<nowiki> | <nowiki> | ||
cat > role.yml << EOF | cat > role.yml << EOF | ||
apiVersion: rbac.authorization.k8s.io/v1 | apiVersion: rbac.authorization.k8s.io/v1 |
Revision as of 01:06, 26 February 2019
1) Levantando o Minikube
minikube start --extra-config=controller-manager.ClusterSigningCertFile="/var/lib/localkube/certs/ca.crt" \ --extra-config=controller-manager.ClusterSigningKeyFile="/var/lib/localkube/certs/ca.key" \ --extra-config=apiserver.authorization-mode=RBAC
Resultado:
😄 minikube v0.34.1 on darwin (amd64) 💡 Tip: Use 'minikube start -p <name>' to create a new cluster, or 'minikube delete' to delete this one. 🏃 Re-using the currently running virtualbox VM for "minikube" ... ⌛ Waiting for SSH access ... 📶 "minikube" IP address is 192.168.99.100 🐳 Configuring Docker as the container runtime ... ✨ Preparing Kubernetes environment ... ▪ controller-manager.ClusterSigningCertFile=/var/lib/localkube/certs/ca.crt ▪ controller-manager.ClusterSigningKeyFile=/var/lib/localkube/certs/ca.key ▪ apiserver.authorization-mode=RBAC 🚜 Pulling images required by Kubernetes v1.13.3 ... 🔄 Relaunching Kubernetes v1.13.3 using kubeadm ... ⌛ Waiting for kube-proxy to come back up ... 🤔 Verifying component health ..... 💗 kubectl is now configured to use "minikube" 🏄 Done! Thank you for using minikube!
2) Verificando a configuração, executando o comando:
kubectl config view
Resultado:
apiVersion: v1 clusters: - cluster: certificate-authority: /Users/ebasso/.minikube/ca.crt server: https://192.168.99.100:8443 name: minikube contexts: - context: cluster: minikube user: minikube name: minikube current-context: minikube kind: Config preferences: {} users: - name: minikube user: client-certificate: /Users/ebasso/.minikube/client.crt client-key: /Users/ebasso/.minikube/client.key
) Criando uma namespace
kubectl create namespace ns-exemplo-autenticacao
)
cd mkdir .rbac cd .rbac openssl genrsa -out ebasso.key 2048 openssl req -new -key ebasso.key -out ebasso.csr -subj "/CN=ebasso/O=company"\n
)
cat ebasso.csr | base64 -
Resultado
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FUQ0NBVkVDQVFBd0pERVBNQTBHQTFVRUF3d0daV0poYzNOdk1SRXdEd1lEVlFRS ... vVVRLRjB1U3h5cGlLaEs3a2VZNHNSdnJaUlBVVmdBRGx1NXp1aWRqajdnQmtBdzlJQ1dHCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
cat > signing-request.yml << EOF apiVersion: certificates.k8s.io/v1beta1 kind: CertificateSigningRequest metadata: name: ebasso-csr spec: groups: - system:authenticated request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FUQ0NBVkVDQVFBd0pERVBNQTBHQTFVRUF3d0daV0poYzNOdk1SRXdEd1lEVlF ... vVVRLRjB1U3h5cGlLaEs3a2VZNHNSdnJaUlBVVmdBRGx1NXp1aWRqajdnQmtBdzlJQ1dHCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo= usages: - digital signature - key encipherment - client auth EOF
)
kubectl create -f signing-request.yml
kubectl get csr
Resultado:
NAME AGE REQUESTOR CONDITION ebasso-csr 2m16s minikube-user Pending
)
kubectl certificate approve ebasso-csr
kubectl get csr
Resultado:
NAME AGE REQUESTOR CONDITION ebasso-csr 4m33s minikube-user Approved
)
kubectl get csr ebasso-csr -o jsonpath='{.status.certificate}'| base64 --decode > ebasso.crt
kubectl config set-credentials ebasso --client-certificate=ebasso.crt --client-key=key
kubectl get csr ebasso-csr -o jsonpath='{.status.certificate}'| base64 --decode > ebasso.crt
kubectl run nginx --image=nginx:apline -n ns-exemplo-autenticacao
)
cat > role.yml << EOF apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: ebasso-csr rules: - apiGrous: [""] # "" indicates the resources: ["pods"] verbs: ["get", "watch", "list"] EOF