The goal of this project is to make it easy to create a Kubernetes user. While the k8s documentation is quick to point out that users do not exist in Kubernetes, sometimes you just want to generate a kubeconfig which has access to the cluster.
This access can be achived by the following means:
- create a Service Account with a token with access to the cluster
- create a RSA certificate/key pair allowing access to the cluster
The "user" is not given any permissions be default, so you still need to create/associate the user with ClusterRoleBindings/RoleBindgins.
This project is inspired by the following blog post: https://www.openlogic.com/blog/granting-user-access-your-kubernetes-cluster
TODO
- Automate the creation of openssl key and csr
- Automate the creation of a k8s CSR resource
- Automate the approval of the CSR resource
- Automate the creation of a kubeconfig
- Automate or document the creation of cluster premissions
- Create a command line tool as well as python api
- Automate the SA Token workflow
- Allow passing in SA and CSR resource metadata to CLI
- Document well
- Automate the build
- 95% test coverage
pip install kubernetes-user# basic usage
k8s_user csr myusername
# or providing a non-default kubeconfig
python -m k8s_user csr myusername \
--kubeconfig ~/.kube/config
# or using local Git checkout
pip install -e .
python -m k8s_user csr myusername
# basic usage
k8s_user sa myusername
# or providing a non-default kubeconfig
k8s_user sa myusername \
--kubeconfig ~/.kube/config
# or without installing
python -m k8s_user sa myusername
# or without installing and providing a non-default kubeconfig
python -m k8s_user sa myusername \
--kubeconfig ~/.kube/configAdd a clusterrollbinding for the new user
kubectl create clusterrolebinding joe-admin --clusterrole=admin --user=joeCreate and sign the user
import kubernetes
from kubernetes import client, config
api_client = config.new_client_from_config()
from k8s_user import CSRK8sUser
user = CSRK8sUser(name="joe")
inputs = {
"cluster_name": "default",
"context_name": "default",
"out_kubeconfig": "new-kubeconfig.yaml",
"creds_dir": ".",
}
user.create(api_client, inputs)Add a clusterrollbinding for the new user
kubectl create clusterrolebinding joe-admin --clusterrole=admin --user=joeThis example assumes you are connected to a Kubernetes cluster with a kubeconfig in the default location.
import kubernetes
from kubernetes import client, config
from k8s_user.k8s.csr_resource import CSRResource
from k8s_user.pki import CSRandKey, Cert
csr_name = 'joe'
# create a KEY and CSR
candk = CSRandKey(csr_name, additional_subject={"O": "jazstudios"})
# save the csr and key
candk.csr.save("joe.csr.pem")
candk.key.save("joe.key.pem")
# create the k8s api client. Load the kubeconfig from the default location (~/.kube/config)
api_client = config.new_client_from_config()
# Define the CertificateSigningRequest Kubernetes Resource
csr = CSRResource(
name=csr_name, # the name of the CertificateSigningRequest k8s object
csr_str=candk.csr.base64, # the base64 encoded csr string
metadata={"labels": {"foo": "bar"}}, # optional dict with fields matching k8s V1ObjectMeta object
)
# Check if the k8s CSR resource exists
csr.resource_exists(api_client)
# Create the k8s CSR resource
obj = csr.create(api_client)
# Check again if the k8s CSR resource exists (it will now)
csr.resource_exists(api_client)
# Approve the k8s CSR resource
approved_csr_obj = csr.approve(api_client)
# Get the certificate as a base64 encoded PEM string
crt_str = csr.get_cert(api_client)
# Save the certificate to a file
candk = Cert(crt_data=base64.b64decode(crt_str))
candk.save('joe.crt.pem')It is recommended that you have Docker installed in order to use the development tools for this project. The Makefile will use Docker to run the installation and unit tests.
Build a Docker image with all the deps needed to test this project.
make buildRun the unit tests for this project.
make testEnter into an interactive shell inside a Docker, with all dependencies installed.
make shellClean up all temporary files generated by this project
make cleanCreate a Python wheel in the dist/ directory
make package