Migrate the role to a separate repo
This commit is contained in:
commit
44bce4b274
|
|
@ -0,0 +1,34 @@
|
|||
Kubernetes RBAC
|
||||
=========
|
||||
|
||||
Add user to k8s cluster drom control plain node
|
||||
|
||||
Role Variables
|
||||
--------------
|
||||
Will add soon
|
||||
|
||||
Dependencies
|
||||
------------
|
||||
|
||||
Example Playbook
|
||||
----------------
|
||||
|
||||
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
|
||||
|
||||
---
|
||||
- hosts: k8s_master
|
||||
become: no
|
||||
roles:
|
||||
- role: '.'
|
||||
|
||||
License
|
||||
-------
|
||||
|
||||
BSD
|
||||
|
||||
Author Information
|
||||
------------------
|
||||
|
||||
Feel free to contribute
|
||||
|
||||
If you got something to say, send me an email (allanger@protonmail.com)
|
||||
|
|
@ -0,0 +1,52 @@
|
|||
---
|
||||
# --------------------------------------
|
||||
# -- yq version
|
||||
# --------------------------------------
|
||||
yq:
|
||||
version: v4.31.2
|
||||
binary: yq_linux_amd64
|
||||
# --------------------------------------
|
||||
# -- Path to k8s admin config
|
||||
# --------------------------------------
|
||||
k8s_config_path: /etc/kubernetes/admin.conf
|
||||
k8s_cert_path: /etc/kubernetes/pki
|
||||
k8s_cert_crt_file: ca.crt
|
||||
k8s_cert_key_file: ca.key
|
||||
# --------------------------------------
|
||||
# -- K8s username
|
||||
# --------------------------------------
|
||||
username: "admin"
|
||||
# --------------------------------------
|
||||
# -- How many days certificate
|
||||
# -- will be valid
|
||||
# --------------------------------------
|
||||
certificate_expires_in: 500
|
||||
# --------------------------------------
|
||||
# -- K8s cluster name
|
||||
# --------------------------------------
|
||||
cluster: "microk8s-cluster"
|
||||
# --------------------------------------
|
||||
# -- RoleBinding parameters
|
||||
# --------------------------------------
|
||||
# -- Binding type:
|
||||
# ---- ClusterRoleBinding
|
||||
# ---- RoleBinding
|
||||
# --------------------------------------
|
||||
binding_type: ClusterRoleBinding
|
||||
# --------------------------------------
|
||||
# -- Role type
|
||||
# -- ClusterRole
|
||||
# -- Role
|
||||
# --------------------------------------
|
||||
role_type: ClusterRole
|
||||
# --------------------------------------
|
||||
# -- Cluster role name
|
||||
# -- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
|
||||
# --------------------------------------
|
||||
role: cluster-admin
|
||||
|
||||
# --------------------------------------
|
||||
# -- Use with microk8s
|
||||
# --------------------------------------
|
||||
# k8s_config_path: /var/snap/microk8s/current/credentials/client.config
|
||||
# k8s_cert_path: /var/snap/microk8s/current/certs
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: remove certificates
|
||||
file:
|
||||
state: absent
|
||||
path: "{{ working_dir }}"
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
# --------------------------------------
|
||||
# -- Initialize kubernetes cluster
|
||||
# --------------------------------------
|
||||
---
|
||||
- hosts: k8s_master
|
||||
become: no
|
||||
roles:
|
||||
- role: '.'
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
galaxy_info:
|
||||
author: Allen Languor
|
||||
description: Create k8s user
|
||||
license: license (GPL-2.0-or-later, MIT, etc)
|
||||
min_ansible_version: 2.1
|
||||
platforms:
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- 20.04
|
||||
- 18.04
|
||||
|
||||
galaxy_tags:
|
||||
- kubernetes
|
||||
- rbac
|
||||
|
|
@ -0,0 +1,151 @@
|
|||
# --------------------------------------
|
||||
# -- Create kubernetes user
|
||||
# --------------------------------------
|
||||
# -- 1. Install packages
|
||||
# -- 2. Generate certificate
|
||||
# -- 3. Add user to kubernetes
|
||||
# -- 4. Remove certificates (Optional)
|
||||
# --------------------------------------
|
||||
---
|
||||
- name: Prepare working directory
|
||||
block:
|
||||
- name: Set workdir as fact
|
||||
set_fact:
|
||||
working_dir: "{{ working_dir | ansible_env.HOME }}/.certs/{{ username }}"
|
||||
|
||||
- name: Create a directory if it does not exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ working_dir }}"
|
||||
state: directory
|
||||
mode: "0775"
|
||||
|
||||
- name: Ensure required packages are installed
|
||||
tags: packages
|
||||
block:
|
||||
# -------------------------
|
||||
# -- Prepare kubectl repo
|
||||
# -------------------------
|
||||
- name: Add an apt signing key for Kubernetes
|
||||
become: yes
|
||||
apt_key:
|
||||
url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
|
||||
state: present
|
||||
|
||||
- name: Adding apt repository for Kubernetes
|
||||
become: yes
|
||||
apt_repository:
|
||||
repo: deb https://apt.kubernetes.io/ kubernetes-xenial main
|
||||
state: present
|
||||
filename: kubernetes.list
|
||||
|
||||
# --------------------------------------
|
||||
# -- Install yq
|
||||
# --------------------------------------
|
||||
- name: Ensure yq is installed
|
||||
become: yes
|
||||
get_url:
|
||||
url: "https://github.com/mikefarah/yq/releases/download/{{ yq.version }}/{{ yq.binary }}"
|
||||
dest: /usr/bin/yq
|
||||
mode: "0777"
|
||||
|
||||
- name: Ensure kubectl and openssl are installed
|
||||
become: yes
|
||||
package:
|
||||
name: "{{ packages }}"
|
||||
state: present
|
||||
vars:
|
||||
packages:
|
||||
- kubectl
|
||||
- openssl
|
||||
|
||||
- name: Generate openssl certificate
|
||||
tags: openssl
|
||||
block:
|
||||
- name: Generate an OpenSSL private key
|
||||
community.crypto.openssl_privatekey:
|
||||
path: "{{ working_dir }}/{{ username }}.key"
|
||||
size: 2048
|
||||
|
||||
- name: Generate an OpenSSL Certificate Signing Request
|
||||
community.crypto.openssl_csr:
|
||||
path: "{{ working_dir }}/{{ username }}.csr"
|
||||
privatekey_path: "{{ working_dir }}/{{ username }}.key"
|
||||
common_name: "{{ username }}"
|
||||
|
||||
- name: Generate an OpenSSL certificate signed with your own CA certificate
|
||||
become: yes
|
||||
community.crypto.x509_certificate:
|
||||
path: "{{ working_dir }}/{{ username }}.crt"
|
||||
csr_path: "{{ working_dir }}/{{ username }}.csr"
|
||||
ownca_path: "{{ k8s_cert_path }}/{{ k8s_cert_crt_file }}"
|
||||
ownca_privatekey_path: "{{ k8s_cert_path }}/{{ k8s_cert_key_file }}"
|
||||
provider: ownca
|
||||
entrust_not_after: "+{{ certificate_expires_in }}d"
|
||||
|
||||
- name: Add user to cluster
|
||||
block:
|
||||
# --------------------------------------
|
||||
# -- Get k8s server from admin.conf
|
||||
# --------------------------------------
|
||||
- name: Get k8s server
|
||||
shell: yq e '.clusters[0] | select(.name == "{{ cluster }}").cluster.server' "{{ k8s_config_path }}"
|
||||
register: kubernetes_server_output
|
||||
# --------------------------------------
|
||||
# -- Get k8s certificate authority data
|
||||
# -- from admin-conf
|
||||
# --------------------------------------
|
||||
- name: Get k8s certificate authority data
|
||||
shell: yq e '.clusters[0] | select(.name == "{{ cluster }}").cluster.certificate-authority-data' "{{ k8s_config_path }}"
|
||||
register: kubernetes_cad_output
|
||||
|
||||
- name: Get user cert data
|
||||
shell: cat "{{ working_dir }}/{{ username }}.crt" | base64 -w 0
|
||||
register: user_cert_data_output
|
||||
|
||||
- name: Get user key data
|
||||
shell: cat "{{ working_dir }}/{{ username }}.key" | base64 -w 0
|
||||
register: user_key_data_output
|
||||
|
||||
- name: Set variables for template
|
||||
set_fact:
|
||||
kubernetes_server: "{{ kubernetes_server_output.stdout }}"
|
||||
kubernetes_cad: "{{ kubernetes_cad_output.stdout }}"
|
||||
user_cert_data: " {{ user_cert_data_output.stdout }}"
|
||||
user_key_data: " {{ user_key_data_output.stdout }}"
|
||||
|
||||
- name: Create k8s user
|
||||
ansible.builtin.shell: |
|
||||
kubectl config set-credentials "{{ username }}"\
|
||||
--client-certificate="{{ working_dir }}/{{ username }}.crt" \
|
||||
--client-key="{{ working_dir }}/{{ username }}.key"
|
||||
notify: remove certificates
|
||||
|
||||
- name: Set user context
|
||||
ansible.builtin.shell: |
|
||||
kubectl config set-context "{{ username }}@{{ cluster }}" \
|
||||
--cluster={{ cluster }} --user="{{ username }}"
|
||||
|
||||
- name: Create config file from template
|
||||
template:
|
||||
src: config.j2
|
||||
dest: "{{ working_dir }}/config"
|
||||
|
||||
- name: Storing config on the local machine
|
||||
ansible.builtin.fetch:
|
||||
src: "{{ working_dir }}/config"
|
||||
dest: ./
|
||||
flat: yes
|
||||
tags: config
|
||||
|
||||
- name: Bind user to role
|
||||
block:
|
||||
- name: Generate role binding yaml
|
||||
template:
|
||||
src: role-binding.j2
|
||||
dest: "{{ working_dir }}/{{ username }}.yaml"
|
||||
|
||||
- name: Apply role binding manifest
|
||||
environment:
|
||||
KUBECONFIG: "{{ k8s_config_path }}"
|
||||
shell: kubectl apply -f "{{ working_dir }}/{{ username }}.yaml"
|
||||
tags: add_user
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
apiVersion: v1
|
||||
clusters:
|
||||
- cluster:
|
||||
certificate-authority-data: {{ kubernetes_cad }}
|
||||
server: {{ kubernetes_server }}
|
||||
name: {{ cluster }}
|
||||
contexts:
|
||||
- context:
|
||||
cluster: {{ cluster }}
|
||||
user: {{ username }}
|
||||
name: {{ username }}@{{ cluster }}
|
||||
current-context: {{ username }}@{{ cluster }}
|
||||
kind: Config
|
||||
preferences: {}
|
||||
users:
|
||||
- name: {{ username }}
|
||||
user:
|
||||
client-certificate-data: {{ user_cert_data }}
|
||||
client-key-data: {{ user_key_data }}
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: {{ binding_type}}
|
||||
metadata:
|
||||
name: {{ username }}
|
||||
namespace: {{ k8s_namespace | default("default") }}
|
||||
subjects:
|
||||
- kind: User
|
||||
name: {{ username }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
roleRef:
|
||||
kind: {{ role_type }}
|
||||
name: {{ role }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
|
@ -0,0 +1 @@
|
|||
---
|
||||
Loading…
Reference in New Issue