kubernetes [CKA] - CSR

문제4. CSR(Certificate Signing Request)를 통해 app-manager 인증서를 발급받은 user app-manager 에게 cluster 내 모든 namespace의 deployment, pod, service 리소스를 create, list, get, update, delete 할 수 있는 권한을 할당하시오.

 - user name : app-manager

 - certificate name : app-manager 

 - clusterRole name : app-access

 - clusterRoleBinding name : app-access-binding

 

문제 풀이

1. user 개인 키 생성 -subj "/CN=app-manager"

openssl genrsa -out myuser.key 2048
openssl req -new -key myuser.key -out myuser.csr

https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user

Certificates and Certificate Signing Requests

# 키 생성
openssl genrsa -out app-manager.key 2048

# csr 은 인증서를 요청하는 파일
# 서브젝트를 추가해서 좀 더 간단하게 만듬
# openssl req -new -key app-manager.key -out app-manager.csr
openssl req -new -key app-manager.key -out app-manager.csr -subj "/CN=app-manager"

# 확인
ls

# 결과 확인
app-manager.csr     app-manager.key

# CertificateSigningRequest 만들기
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: myuser
spec:
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZVzVuWld4aE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQTByczhJTHRHdTYxakx2dHhWTTJSVlRWMDNHWlJTWWw0dWluVWo4RElaWjBOCnR2MUZtRVFSd3VoaUZsOFEzcWl0Qm0wMUFSMkNJVXBGd2ZzSjZ4MXF3ckJzVkhZbGlBNVhwRVpZM3ExcGswSDQKM3Z3aGJlK1o2MVNrVHF5SVBYUUwrTWM5T1Nsbm0xb0R2N0NtSkZNMUlMRVI3QTVGZnZKOEdFRjJ6dHBoaUlFMwpub1dtdHNZb3JuT2wzc2lHQ2ZGZzR4Zmd4eW8ybmlneFNVekl1bXNnVm9PM2ttT0x1RVF6cXpkakJ3TFJXbWlECklmMXBMWnoyalVnald4UkhCM1gyWnVVV1d1T09PZnpXM01LaE8ybHEvZi9DdS8wYk83c0x0MCt3U2ZMSU91TFcKcW90blZtRmxMMytqTy82WDNDKzBERHk5aUtwbXJjVDBnWGZLemE1dHJRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBR05WdmVIOGR4ZzNvK21VeVRkbmFjVmQ1N24zSkExdnZEU1JWREkyQTZ1eXN3ZFp1L1BVCkkwZXpZWFV0RVNnSk1IRmQycVVNMjNuNVJsSXJ3R0xuUXFISUh5VStWWHhsdnZsRnpNOVpEWllSTmU3QlJvYXgKQVlEdUI5STZXT3FYbkFvczFqRmxNUG5NbFpqdU5kSGxpT1BjTU1oNndLaTZzZFhpVStHYTJ2RUVLY01jSVUyRgpvU2djUWdMYTk0aEpacGk3ZnNMdm1OQUxoT045UHdNMGM1dVJVejV4T0dGMUtCbWRSeEgvbUNOS2JKYjFRQm1HCkkwYitEUEdaTktXTU0xMzhIQXdoV0tkNjVoVHdYOWl4V3ZHMkh4TG1WQzg0L1BHT0tWQW9FNkpsYWFHdTlQVmkKdjlOSjVaZlZrcXdCd0hKbzZXdk9xVlA3SVFjZmg3d0drWm89Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 86400  # one day
  usages:
  - client auth
  
  # 내용만 특정 디렉토리에 넣음
  cat > app-manager.yaml 
  
  # 붙여넣음
  apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: myuser
spec:
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZVzVuWld4aE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQTByczhJTHRHdTYxakx2dHhWTTJSVlRWMDNHWlJTWWw0dWluVWo4RElaWjBOCnR2MUZtRVFSd3VoaUZsOFEzcWl0Qm0wMUFSMkNJVXBGd2ZzSjZ4MXF3ckJzVkhZbGlBNVhwRVpZM3ExcGswSDQKM3Z3aGJlK1o2MVNrVHF5SVBYUUwrTWM5T1Nsbm0xb0R2N0NtSkZNMUlMRVI3QTVGZnZKOEdFRjJ6dHBoaUlFMwpub1dtdHNZb3JuT2wzc2lHQ2ZGZzR4Zmd4eW8ybmlneFNVekl1bXNnVm9PM2ttT0x1RVF6cXpkakJ3TFJXbWlECklmMXBMWnoyalVnald4UkhCM1gyWnVVV1d1T09PZnpXM01LaE8ybHEvZi9DdS8wYk83c0x0MCt3U2ZMSU91TFcKcW90blZtRmxMMytqTy82WDNDKzBERHk5aUtwbXJjVDBnWGZLemE1dHJRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBR05WdmVIOGR4ZzNvK21VeVRkbmFjVmQ1N24zSkExdnZEU1JWREkyQTZ1eXN3ZFp1L1BVCkkwZXpZWFV0RVNnSk1IRmQycVVNMjNuNVJsSXJ3R0xuUXFISUh5VStWWHhsdnZsRnpNOVpEWllSTmU3QlJvYXgKQVlEdUI5STZXT3FYbkFvczFqRmxNUG5NbFpqdU5kSGxpT1BjTU1oNndLaTZzZFhpVStHYTJ2RUVLY01jSVUyRgpvU2djUWdMYTk0aEpacGk3ZnNMdm1OQUxoT045UHdNMGM1dVJVejV4T0dGMUtCbWRSeEgvbUNOS2JKYjFRQm1HCkkwYitEUEdaTktXTU0xMzhIQXdoV0tkNjVoVHdYOWl4V3ZHMkh4TG1WQzg0L1BHT0tWQW9FNkpsYWFHdTlQVmkKdjlOSjVaZlZrcXdCd0hKbzZXdk9xVlA3SVFjZmg3d0drWm89Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 86400  # one day
  usages:
  - client auth
  
  # 확인
ls

# 결과 확인
app-manager.csr     app-manager.key       app-manager.yaml

#  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0... 이 키는 우리키가 아니라 수정
# cat myuser.csr | base64 | tr -d "\n" 실행
cat myuser.csr | base64 | tr -d "\n"

#인증서 복사

# app-manager.yaml를 접속하고 request를 수정함 
# 대문자 D를 사용하여 request를 지움, matadata name 수정, expirationSeconds 삭제
vi app-manager.yaml

# 등록
kubectl apply -f app-manager.yaml

2. 승인 요청

# CSR 목록 가져오기
kubectl get csr

# pending 이라고 나옴 승인 요청을 해야함

# 결과확인 줄여서 사용 가능
kubectl get sa --namespace=api-access

# CSR 승인 kubectl certificate approve myuser
kubectl certificate approve app-manager

# CSR 목록 가져오기
kubectl get csr

# approve 확인

3. 유저가 사용하는 인증서 생성

# kubectl get csr myuser -o jsonpath='{.status.certificate}'| base64 -d > myuser.crt
kubectl get csr app_maanager -o jsonpath='{.status.certificate}'| base64 -d > app_maanager.crt

4. Role 및 RoleBinding 만들기

# kubectl create role developer --verb=create --verb=get --verb=list --verb=update --verb=delete --resource=pods
# cluster role 을 만듬
kubectl create clusterrole app-access --verb=create --verb=get --verb=create,list,get,update,delete --verb=update --verb=delete --resource=deploymnet,pod,service

# 결과 확인
kubectl get cluserrole app-access

# 자세히 보기
kubectl describe clusterrole app-access

# rolebinding 만들기
# kubectl create rolebinding developer-binding-myuser --role=developer --user=myuser
kubectl create clusterrolebinding app-access-binding  --clusterrole=app-access --user=app-manager

# 결과 확인
kubectl get clusterrolebinding app-access-binding

5. kubeconfig에 추가

# 새 자격 증명을 추가
# kubectl config set-credentials myuser --client-key=myuser.key --client-certificate=myuser.crt --embed-certs=true
kubectl config set-credentials app-manager --client-key=app-manager.key --client-certificate=app-manager.crt --embed-certs=true

# 결과 확인
kubectl config view
# user가 추가됨

#컨텍스트를 추가
#kubectl config set-context myuser --cluster=kubernetes --user=myuser
kubectl config set-context app-manager --cluster=kubernetes --user=app-manager

# 결과 확인
kubectl config view
# context 추가됨

# context 변경
# kubectl config use-context myuser
kubectl config use-context app-manager

# 본래 유저 정보 접속
kubcectl config use-context kubernetes-admin@kubenetes