Skip to content

Authentication and authorization in k8s for Kubevirt VNC

Jump to bottom
Allan Roger Reid edited this page Aug 2, 2024 · 1 revision

https://kubevirt.io/2018/KubeVirt-API-Access-Control.html https://hbayraktar.medium.com/how-to-create-a-user-in-a-kubernetes-cluster-and-grant-access-bfeed991a0ef

Authentication

Generate a Key Pair and Certificate Signing Request (CSR)

openssl genrsa -out eco-min-k1.key 2048
openssl req -new -key eco-min-k1.key -out eco-min-k1.csr -subj "/CN=eco@min-k1"

Create CSR yaml

cat <<EOF > eco-min-k1-csr-template.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: eco-min-k1-csr
spec:
  request: <base64-encoded eco-min-k1.csr>
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth
EOF

Generate the CSR content in Base64 and create the YAML file

k delete csr eco-min-k1-csr
CSR_CONTENT=$(cat eco-min-k1.csr | base64 | tr -d '\n')
sed "s|<base64-encoded eco-min-k1.csr>|$CSR_CONTENT|" eco-min-k1-csr-template.yaml > eco-min-k1-csr.yaml
kubectl create -f eco-min-k1-csr.yaml

Approve the CSR. Get certificate

kubectl get csr
kubectl certificate approve eco-min-k1-csr
kubectl get csr eco-min-k1-csr -o jsonpath='{.status.certificate}' | base64 --decode > eco-min-k1.crt
kubectl get csr

Set credentials for dev

kubectl config delete-cluster min-k1-eco --kubeconfig=eco.kubeconfig
kubectl config delete-context min-k1 --kubeconfig=eco.kubeconfig   

kubectl config set-cluster min-k1 --server=https://api.k1.min.dev:6443 --certificate-authority=/Users/allanreid/Downloads/kubevirt/eco/min-k1.crt --embed-certs=true --kubeconfig=eco.kubeconfig

kubectl config set-credentials eco --client-certificate=eco-min-k1.crt --client-key=eco-min-k1.key --embed-certs=true --kubeconfig=eco.kubeconfig

kubectl config set-context min-k1 --cluster=min-k1 --namespace=default --user=eco --namespace vms --kubeconfig=eco.kubeconfig

kubectl config use-context min-k1 --kubeconfig=eco.kubeconfig

kubectl config get-contexts --kubeconfig=eco.kubeconfig
kubectl config get-clusters --kubeconfig=eco.kubeconfig

k -n vms get pods --kubeconfig=eco.kubeconfig

Authorization

k -n vms delete Role vm-vnc-access
cat << EOF > vms-cr.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: vms
  name: vm-vnc-access
  labels:
    kubevirt.io: "vm-vnc-access"
rules:
  - apiGroups:
      - subresources.kubevirt.io
    resources:
      - virtualmachineinstances/vnc
      - virtualmachines/console
      - virtualmachines/vnc
    verbs:
      - get
EOF
k create -f vms-cr.yaml

k -n vms delete rolebindings.rbac.authorization.k8s.io vm-read
cat << EOF > vms-rb.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: vm-read
  namespace: vms
subjects:
- kind: User
  name: eco@min-k1
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: vm-vnc-access
  apiGroup: rbac.authorization.k8s.io
EOF
k create -f vms-rb.yaml

./virtctl -n vms vnc win2k11-0 --kubeconfig=$HOME/Downloads/kubevirt/eco/eco.kubeconfig

Clone this wiki locally