A package for creating kubernetes users.
Project description
Kubernetes User Creator
The goal of this project is to make it easy to create a Kubernetes user. While the k8s documentation is quick to point out that users do not exist in Kubernetes, sometimes you just want to generate a kubeconfig which has access to the cluster.
This access can be achived by the following means:
- create a Service Account with a token with access to the cluster
- create a RSA certificate/key pair allowing access to the cluster
The "user" is not given any permissions be default, so you still need to create/associate the user with ClusterRoleBindings/RoleBindgins.
This project is inspired by the following blog post: https://www.openlogic.com/blog/granting-user-access-your-kubernetes-cluster
TODO
- Automate the creation of openssl key and csr
- Automate the creation of a k8s CSR resource
- Automate the approval of the CSR resource
- Automate the creation of a kubeconfig
- Automate or document the creation of cluster premissions
- Create a command line tool as well as python api
- Automate the SA Token workflow
- Allow passing in SA and CSR resource metadata to CLI
- Document well
- Automate the build
- 95% test coverage
Install
pip install kubernetes-user
CLI Quick Start
Generate a CSR-based User
# basic usage
k8s_user csr myusername
# or providing a non-default kubeconfig
python -m k8s_user csr myusername \
--kubeconfig ~/.kube/config
# or without installing
python -m k8s_user csr myusername
# or without installing and providing a non-default kubeconfig
python -m k8s_user csr myusername \
--kubeconfig ~/.kube/config
Generate a SA-based User with token
# basic usage
k8s_user sa myusername
# or providing a non-default kubeconfig
k8s_user sa myusername \
--kubeconfig ~/.kube/config
# or without installing
python -m k8s_user sa myusername
# or without installing and providing a non-default kubeconfig
python -m k8s_user sa myusername \
--kubeconfig ~/.kube/config
Add a clusterrollbinding for the new user
kubectl create clusterrolebinding joe-admin --clusterrole=admin --user=joe
Python API Quick Start
Create and sign the user
import kubernetes
from kubernetes import client, config
api_client = config.new_client_from_config()
from k8s_user import CSRK8sUser
user = CSRK8sUser(name="joe")
inputs = {
"cluster_name": "default",
"context_name": "default",
"out_kubeconfig": "new-kubeconfig.yaml",
"creds_dir": ".",
}
user.create(api_client, inputs)
Add a clusterrollbinding for the new user
kubectl create clusterrolebinding joe-admin --clusterrole=admin --user=joe
Low-Level CSR API Interaction
This example assumes you are connected to a Kubernetes cluster with a kubeconfig in the default location.
import kubernetes
from kubernetes import client, config
from k8s_user.k8s.csr_resource import CSRResource
from k8s_user.pki import CSRandKey, Cert
csr_name = 'joe'
# create a KEY and CSR
candk = CSRandKey(csr_name, additional_subject={"O": "jazstudios"})
# save the csr and key
candk.csr.save("joe.csr.pem")
candk.key.save("joe.key.pem")
# create the k8s api client. Load the kubeconfig from the default location (~/.kube/config)
api_client = config.new_client_from_config()
# Define the CertificateSigningRequest Kubernetes Resource
csr = CSRResource(
name=csr_name, # the name of the CertificateSigningRequest k8s object
csr_str=candk.csr.base64, # the base64 encoded csr string
metadata={"labels": {"foo": "bar"}}, # optional dict with fields matching k8s V1ObjectMeta object
)
# Check if the k8s CSR resource exists
csr.resource_exists(api_client)
# Create the k8s CSR resource
obj = csr.create(api_client)
# Check again if the k8s CSR resource exists (it will now)
csr.resource_exists(api_client)
# Approve the k8s CSR resource
approved_csr_obj = csr.approve(api_client)
# Get the certificate file
crt_str = csr.get_cert(api_client)
# Save the certificate to a file
candk = Cert(crt_data=base64.b64decode(crt_str))
candk.save('joe.crt.pem')
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file kubernetes-user-0.0.3.tar.gz
.
File metadata
- Download URL: kubernetes-user-0.0.3.tar.gz
- Upload date:
- Size: 18.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/44.0.0 requests-toolbelt/0.9.1 tqdm/4.48.0 CPython/3.8.5
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | de492317a68394784845c6a08f2ddec3a43f1148b7bbc731b3db3dcd20901b31 |
|
MD5 | c3913362db7d771264147ef2d1b7b665 |
|
BLAKE2b-256 | 2a0eaa9b7f3344bbcff047da6eb2e044b1b2a6d5d97b13c27199bb85dfb0d9b5 |
File details
Details for the file kubernetes_user-0.0.3-py3-none-any.whl
.
File metadata
- Download URL: kubernetes_user-0.0.3-py3-none-any.whl
- Upload date:
- Size: 22.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/44.0.0 requests-toolbelt/0.9.1 tqdm/4.48.0 CPython/3.8.5
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | a3e0377104b1b309c4a8e2f909d8539073a478ab15967d15b542e160dacb9298 |
|
MD5 | 7b3c356662ddb808b2eabe1e32733ebb |
|
BLAKE2b-256 | fcd23949bc034eaa1c88bdcc6c9498fe886aacf6d29e75ed2f9c5359199b71ee |