Minikube: Exemplo com Autenticação

From Wiki

EM RASCUNHO AINDA

1) Levantando o Minikube

minikube start --extra-config=controller-manager.ClusterSigningCertFile="/var/lib/localkube/certs/ca.crt" \
  --extra-config=controller-manager.ClusterSigningKeyFile="/var/lib/localkube/certs/ca.key" \
  --extra-config=apiserver.authorization-mode=RBAC

Resultado:

😄  minikube v0.34.1 on darwin (amd64)
💡  Tip: Use 'minikube start -p <name>' to create a new cluster, or 'minikube delete' to delete this one.
🏃  Re-using the currently running virtualbox VM for "minikube" ...
⌛  Waiting for SSH access ...
📶  "minikube" IP address is 192.168.99.100
🐳  Configuring Docker as the container runtime ...
✨  Preparing Kubernetes environment ...
    ▪ controller-manager.ClusterSigningCertFile=/var/lib/localkube/certs/ca.crt
    ▪ controller-manager.ClusterSigningKeyFile=/var/lib/localkube/certs/ca.key
    ▪ apiserver.authorization-mode=RBAC
🚜  Pulling images required by Kubernetes v1.13.3 ...
🔄  Relaunching Kubernetes v1.13.3 using kubeadm ...
⌛  Waiting for kube-proxy to come back up ...
🤔  Verifying component health .....
💗  kubectl is now configured to use "minikube"
🏄  Done! Thank you for using minikube!

2) Verificando a configuração, executando o comando:

kubectl config view

Resultado:

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /Users/ebasso/.minikube/ca.crt
    server: https://192.168.99.100:8443
  name: minikube
contexts:
- context:
    cluster: minikube
    user: minikube
  name: minikube
current-context: minikube
kind: Config
preferences: {}
users:
- name: minikube
  user:
    client-certificate: /Users/ebasso/.minikube/client.crt
    client-key: /Users/ebasso/.minikube/client.key


) Criando uma namespace

kubectl create namespace ns-exemplo-autenticacao


)

cd
mkdir .rbac
cd .rbac
openssl genrsa -out ebasso.key 2048
openssl req -new -key ebasso.key -out ebasso.csr -subj "/CN=ebasso/O=company"\n

)

cat ebasso.csr | base64 -

Resultado

LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FUQ0NBVkVDQVFBd0pERVBNQTBHQTFVRUF3d0daV0poYzNOdk1SRXdEd1lEVlFRS
...
vVVRLRjB1U3h5cGlLaEs3a2VZNHNSdnJaUlBVVmdBRGx1NXp1aWRqajdnQmtBdzlJQ1dHCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=


cat > signing-request.yml << EOF
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: ebasso-csr
spec:
  groups:
  - system:authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FUQ0NBVkVDQVFBd0pERVBNQTBHQTFVRUF3d0daV0poYzNOdk1SRXdEd1lEVlF
           ...
           vVVRLRjB1U3h5cGlLaEs3a2VZNHNSdnJaUlBVVmdBRGx1NXp1aWRqajdnQmtBdzlJQ1dHCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  usages:
  - digital signature
  - key encipherment
  - client auth
EOF

)

kubectl create -f signing-request.yml


kubectl get csr

Resultado:

NAME         AGE     REQUESTOR       CONDITION
ebasso-csr   2m16s   minikube-user   Pending

)

kubectl certificate approve ebasso-csr


kubectl get csr

Resultado:

NAME         AGE     REQUESTOR       CONDITION
ebasso-csr   4m33s   minikube-user   Approved

)

kubectl get csr ebasso-csr -o jsonpath='{.status.certificate}'| base64 --decode > ebasso.crt


kubectl config set-credentials ebasso --client-certificate=ebasso.crt --client-key=key


kubectl get csr ebasso-csr -o jsonpath='{.status.certificate}'| base64 --decode > ebasso.crt
kubectl run nginx --image=nginx:apline -n ns-exemplo-autenticacao

)

cat > role-binding.yml << EOF
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pod-read-access
  namespace: lfs
roleRef: 
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
EOF

kubectl create -f role-binding.yml
kubectl --context=ebasso-context get pods

Ver também