Minikube: Exemplo com Autenticação

From Wiki
Revision as of 01:06, 26 February 2019 by Ebasso (talk | contribs)

1) Levantando o Minikube 

minikube start --extra-config=controller-manager.ClusterSigningCertFile="/var/lib/localkube/certs/ca.crt" \
  --extra-config=controller-manager.ClusterSigningKeyFile="/var/lib/localkube/certs/ca.key" \
  --extra-config=apiserver.authorization-mode=RBAC

Resultado: 

😄  minikube v0.34.1 on darwin (amd64)
💡  Tip: Use 'minikube start -p <name>' to create a new cluster, or 'minikube delete' to delete this one.
🏃  Re-using the currently running virtualbox VM for "minikube" ...
⌛  Waiting for SSH access ...
📶  "minikube" IP address is 192.168.99.100
🐳  Configuring Docker as the container runtime ...
✨  Preparing Kubernetes environment ...
    ▪ controller-manager.ClusterSigningCertFile=/var/lib/localkube/certs/ca.crt
    ▪ controller-manager.ClusterSigningKeyFile=/var/lib/localkube/certs/ca.key
    ▪ apiserver.authorization-mode=RBAC
🚜  Pulling images required by Kubernetes v1.13.3 ...
🔄  Relaunching Kubernetes v1.13.3 using kubeadm ...
⌛  Waiting for kube-proxy to come back up ...
🤔  Verifying component health .....
💗  kubectl is now configured to use "minikube"
🏄  Done! Thank you for using minikube!

2) Verificando a configuração, executando o comando: 

kubectl config view

Resultado: 

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /Users/ebasso/.minikube/ca.crt
    server: https://192.168.99.100:8443
  name: minikube
contexts:
- context:
    cluster: minikube
    user: minikube
  name: minikube
current-context: minikube
kind: Config
preferences: {}
users:
- name: minikube
  user:
    client-certificate: /Users/ebasso/.minikube/client.crt
    client-key: /Users/ebasso/.minikube/client.key


) Criando uma namespace 

kubectl create namespace ns-exemplo-autenticacao


) 

cd
mkdir .rbac
cd .rbac
openssl genrsa -out ebasso.key 2048
openssl req -new -key ebasso.key -out ebasso.csr -subj "/CN=ebasso/O=company"\n

) 

cat ebasso.csr | base64 -

Resultado 

LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FUQ0NBVkVDQVFBd0pERVBNQTBHQTFVRUF3d0daV0poYzNOdk1SRXdEd1lEVlFRS
...
vVVRLRjB1U3h5cGlLaEs3a2VZNHNSdnJaUlBVVmdBRGx1NXp1aWRqajdnQmtBdzlJQ1dHCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=



cat > signing-request.yml << EOF
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: ebasso-csr
spec:
  groups:
  - system:authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FUQ0NBVkVDQVFBd0pERVBNQTBHQTFVRUF3d0daV0poYzNOdk1SRXdEd1lEVlF
           ...
           vVVRLRjB1U3h5cGlLaEs3a2VZNHNSdnJaUlBVVmdBRGx1NXp1aWRqajdnQmtBdzlJQ1dHCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  usages:
  - digital signature
  - key encipherment
  - client auth
EOF

) 

kubectl create -f signing-request.yml



kubectl get csr

Resultado: 

NAME         AGE     REQUESTOR       CONDITION
ebasso-csr   2m16s   minikube-user   Pending

) 

kubectl certificate approve ebasso-csr



kubectl get csr

Resultado: 

NAME         AGE     REQUESTOR       CONDITION
ebasso-csr   4m33s   minikube-user   Approved

) 

kubectl get csr ebasso-csr -o jsonpath='{.status.certificate}'| base64 --decode > ebasso.crt



kubectl config set-credentials ebasso --client-certificate=ebasso.crt --client-key=key



kubectl get csr ebasso-csr -o jsonpath='{.status.certificate}'| base64 --decode > ebasso.crt

kubectl run nginx --image=nginx:apline -n ns-exemplo-autenticacao

) 

cat > role.yml << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
 name: ebasso-csr
rules:
- apiGrous: [""] # "" indicates the
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
EOF


Ver também

Retrieved from "https://ebasso.net/wiki/index.php?title=Minikube:_Exemplo_com_Autenticação&oldid=5227"