Commit 3a36df07 authored by carlosribas's avatar carlosribas
Browse files

Control access to services using RBAC authorization

parent 88031230
#!/bin/bash
# Script to control access to services using RBAC authorization.
# When executing this script the following items will be created:
# - Namespace
# - ServiceAccount
# - Role
# - RoleBinding
if [ "$#" -ne 3 ]; then
echo "Usage: $0 <path to kubectl config> <namepsace> <data centre prefix>"
echo "e.g. $0 ~/.kube/myclust.cfg test hx"
exit 0
fi
CONFIG=$1
NS=$2
DC=$3
echo -e "Using: config file=$CONFIG, namespace=$NS, datacentre=$DC"
sed -e "s/<NAMESPACE>/$NS/g" k8s-setup.tmpl | kubectl --kubeconfig $CONFIG apply -f -
sa_secret=`kubectl get sa $NS-sa -o jsonpath={.secrets[].name} --kubeconfig $CONFIG -n $NS`
kubectl get secret $sa_secret -o go-template='{{index .data "ca.crt"}}' --kubeconfig $CONFIG -n $NS | base64 --decode > "$DC-$NS"-ca.crt
kubectl get secret $sa_secret -o go-template='{{index .data "token"}}' --kubeconfig $CONFIG -n $NS | base64 --decode > "$DC-$NS"-token.txt
echo -e "The following files were created: $DC-$NS-ca.crt and $DC-$NS-token.txt"
\ No newline at end of file
apiVersion: v1
kind: Namespace
metadata:
name: <NAMESPACE>
labels:
name: <NAMESPACE>
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: <NAMESPACE>-sa
namespace: <NAMESPACE>
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: <NAMESPACE>
name: <NAMESPACE>-role
rules:
- apiGroups: ["apps/v1","apps","extensions"]
resources: ["deployments", "replicasets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["configmaps", "services"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: <NAMESPACE>-rb
namespace: <NAMESPACE>
subjects:
- kind: ServiceAccount
name: <NAMESPACE>-sa
namespace: <NAMESPACE>
roleRef:
kind: Role
name: <NAMESPACE>-role
apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment