How To Create Cluster Role For IAM USER
Hey, Guys hope you all are good in today's article we are going to create a cluster role for the user. Basically, there are two types of scope in Kubernetes namespace scope which means the user is bind to a role in which they can use various resource under a specific namespace but they cannot use storage class, persistent volume, etc because they belong to the cluster role steps are similar for creating cluster role as we did in the previous article if you have not read link is provided below prefer to go and read and come back again for better understanding.
In the previous article, while creating a role we have to send 2 files from Kubernetes master to the workstation but that is not a good option as sending this many files rather we can do that create one kubeconfig file inside Kubernetes master and provide that user who is going to use it.
In Kubernetes master go to /etc/Kubernetes/pki/ folder using the below command
cd /etc/kubernetes/pki/Inside this folder run the commands to make key csr certificate and crt certificate using ca. crt present inside the directory using the following commands.
openssl genrsa -out “Name you want”.key 1024=> make a private key
Eg:- openssl genrsa -out aditya.key 1024= make a private keyopenssl req -new -key “your key file” -out “Name you want”.csr=> make csr certificate form key{After this it will ask varius things like name,email,state etc do fill it as you want but dont leave it blank}
Eg:-openssl req -new -key aditya.key -out aditya.csr=>make csr cert form keyopenssl x509 -req -in "your csr cert" -CA ca.crt -CAkey ca.key - CAcreateserial -out "Name you want".crt=> to make crt cert run in kubernates master
Eg:-openssl x509 -req -in aditya.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out aditya.crt=> to make crt cert in master pc
Once the certificate is made we are ready to set the kubeconfig file if you have set the Kubernetes cluster using kubeadm then the kubeconfig file is already set into/root/.kube/config and you can copy that file and edit it as per your requirement or else you can copy format from below.
apiVersion: v1
clusters:
- cluster:
certificate-authority-data:
server: https://[public ip]:6443
name: [cluster name]
contexts:
- context:
cluster: [cluster name]
user: [user name]
name: [user@clustername]
current-context: [context name]
kind: Config
preferences: {}
users:
- name: [user name]
user:
client-certificate-data:
client-key-data:Now once you make the format of the kubeconfig file add the required data in the certificate-authority-data keyword you have to copy ca. crt file data don't just directly open or use the cat command to copy use the following code
cat filename | base64 -w0copy the output of the above code in the certificate-authority-data keyword inside the kubeconfig file.
Similarly, we have to do for client-certificate-data and client-key-data in both of them copy user. crt and user.key file respectively using the above base 64 methods.
Once you have copied the data fill in the required information like cluster name, context name, user name, etc once all done your Kube config file is ready sent to the user for whom you have made this file and they can easily use this file using kubectl command and no more hassle to send multiple files to the user😎😎.
Once all the above step is done that means we have successfully setup kubeconfig file but when you try to kubectl get pods it will still show an error(Note here I am using aws cloud instance that’s why error coming if you are configuring in the local system then this step is not required) because of some networking issue in certificate file in Kubernetes master in APIcert they only add private IP of aws while configuring Kubernetes master to add public IP run the below commands.
rm /etc/kubernetes/pki/apiserver.*
kubeadm init phase certs all — apiserver-advertise-address=0.0.0.0 — apiserver-cert-extra-sans=aws public ip
docker rm -f `docker ps -q -f ‘name=k8s_kube-apiserver*’`
systemctl restart kubeletAfter running the above command again run kubectl get pods in workstation you might get user name does not have the power to get data this mean you have done all the steps correctly now we have to create cluster role and bind a cluster role to the user because till now we have created user which can come to Kubernetes master but what they can do in cluster what they can not that Kubernetes master has to decide which can be controlled by ClusterRole binding.
kubectl create clusterrole mysadminrole — verb=action you wnat user toi give — resource= what resource the can use
Eg:-kubectl create clusterrole mysadminrole --verb=get,list,watch,create --resource=pvkubectl create clusterrolebinding mynewroleadmin — clusterrole=cluster-admin — user=adikubectl get clusterrole => to get clusterrolekubectl create clusterrolebinding [name for cluster rolebinding]--clusterrole=[cluster role] --user=[user name]Eg:-kubectl create clusterrolebinding mynewroleadmin --clusterrole=cluster-admin --user=aditya
