Skip to content

Instantly share code, notes, and snippets.

@fragolinux

fragolinux/k8s_add_user_clusterrole.sh

Last active April 15, 2022 20:01
Show Gist options
  • Save fragolinux/7a7e152fde630452d406510f0cb6c889 to your computer and use it in GitHub Desktop.
Save fragolinux/7a7e152fde630452d406510f0cb6c889 to your computer and use it in GitHub Desktop.
Download ZIP
adds a new user to k8s cluster as clusterrole admin/edit/view and creates kubeconfig
Raw
k8s_add_user_clusterrole.sh
#!/usr/bin/env bash
# shellcheck disable=2155
GREEN="\033[0;32m"
RED="\033[0;31m"
COLOR_RESET="\033[0m"
echog(){
echo;echo;echo -e "### ${GREEN}${1}${COLOR_RESET} ###"
}
echor(){
echo;echo;echo -e ">>> ${RED}${1}${COLOR_RESET} <<<"
}
[ "${1}" == "" ] && echor "Please provide username as parameter, aborting..." && exit 1
[ ! "$(command -v cfssl)" ] && echor "cfssl not found, please install it" && exit 1
[ ! "$(command -v cfssljson)" ] && echor "cfssljson not found, please install it" && exit 1
NAME="${1}"
csr_name="${NAME}-client-csr"
cert_name="${NAME}-client"
IFS= read -rd '' cfssltemplate << EOF
{
"CN": "${NAME}",
"key": {
"algo": "ecdsa",
"size": 256
}
}
EOF
echo -e "$cfssltemplate" | envsubst > cfssl.json
echog "Creating signing request"
cfssl genkey cfssl.json | cfssljson -bare "${cert_name}"
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ${csr_name}
spec:
signerName: kubernetes.io/kube-apiserver-client
groups:
- system:authenticated
request: $(base64 "${cert_name}".csr | tr -d '\n')
usages:
- digital signature
- key encipherment
- client auth
EOF
echog "Approving signing request"
kubectl certificate approve "${csr_name}"
echog "Downloading certificate"
kubectl get csr "${csr_name}" -o jsonpath='{.status.certificate}' | base64 --decode > "${cert_name}".crt
echog "Removing temp files and resources"
kubectl delete csr "${csr_name}"
rm "${cert_name}".csr
rm cfssl.json
PS3='Choose cluster role: '
options=("cluster-admin" "admin" "edit" "view")
select role in "${options[@]}"
do
case $role in
"cluster-admin")
break
;;
"admin")
break
;;
"edit")
break
;;
"view")
break
;;
*) echo "invalid option $REPLY";;
esac
done
echog "This will add ${NAME} as a ${role} for all namespaces."
kubectl create clusterrolebinding "${NAME}" --user="${NAME}" --clusterrole="${role}"
export CLUSTER_CA=$(kubectl get secret -o jsonpath="{.items[?(@.type==\"kubernetes.io/service-account-token\")].data['ca\.crt']}")
export CURRENT_CONTEXT=$(kubectl config current-context)
export CLUSTER_NAME=$(kubectl config get-contexts "${CURRENT_CONTEXT}" | awk '{print $3}' | tail -n 1)
export CLUSTER_ENDPOINT=$(kubectl config view -o jsonpath="{.clusters[?(@.name == \"${CLUSTER_NAME}\")].cluster.server}")
export CLIENT_CERTIFICATE_DATA=$(cat "${NAME}"-client.crt | base64 | tr -d "\n")
export CLIENT_KEY_DATA=$(cat "${NAME}"-client-key.pem | base64 | tr -d "\n")
IFS= read -rd '' kubeconfigtemplate << EOF
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority-data: ${CLUSTER_CA}
server: ${CLUSTER_ENDPOINT}
name: ${CLUSTER_NAME}
users:
- name: ${NAME}
user:
client-certificate-data: ${CLIENT_CERTIFICATE_DATA}
client-key-data: ${CLIENT_KEY_DATA}
contexts:
- context:
cluster: ${CLUSTER_NAME}
user: ${NAME}
name: ${NAME}-${CLUSTER_NAME}
current-context: ${NAME}-${CLUSTER_NAME}
EOF
echog "Exporting preconfigured kubeconfig-${NAME}"
echo -e "$kubeconfigtemplate" | envsubst > kubeconfig-"${NAME}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment