A package for creating kubernetes users.
Project description
Kubernetes User Creator
The goal of this project is to make it easy to create a Kubernetes user. While the k8s documentation is quick to point out that users do not exist in Kubernetes, sometimes you just want to generate a kubeconfig which has access to the cluster.
This access can be achived by the following means:
- create a Service Account with a token with access to the cluster
- create a RSA certificate/key pair allowing access to the cluster
The "user" is not given any permissions be default, so you still need to create/associate the user with ClusterRoleBindings/RoleBindgins.
This project is inspired by the following blog post: https://www.openlogic.com/blog/granting-user-access-your-kubernetes-cluster
TODO
- Automate the creation of openssl key and csr
- Automate the creation of a k8s CSR resource
- Automate the approval of the CSR resource
- Automate the creation of a kubeconfig
- Automate or document the creation of cluster premissions
- Create a command line tool as well as python api
- Automate the SA Token workflow
- Allow passing in SA and CSR resource metadata to CLI
- Document well
- Automate the build
- 95% test coverage
Install
pip install kubernetes-user
CLI Quick Start
Generate a CSR-based User
# basic usage
k8s_user csr myusername
# or providing a non-default kubeconfig
python -m k8s_user csr myusername \
--kubeconfig ~/.kube/config
# or without installing
python -m k8s_user csr myusername
# or without installing and providing a non-default kubeconfig
python -m k8s_user csr myusername \
--kubeconfig ~/.kube/config
Generate a SA-based User with token
# basic usage
k8s_user sa myusername
# or providing a non-default kubeconfig
k8s_user sa myusername \
--kubeconfig ~/.kube/config
# or without installing
python -m k8s_user sa myusername
# or without installing and providing a non-default kubeconfig
python -m k8s_user sa myusername \
--kubeconfig ~/.kube/config
Add a clusterrollbinding for the new user
kubectl create clusterrolebinding joe-admin --clusterrole=admin --user=joe
Python API Quick Start
Create and sign the user
import kubernetes
from kubernetes import client, config
api_client = config.new_client_from_config()
from k8s_user import CSRK8sUser
user = CSRK8sUser(name="joe")
inputs = {
"cluster_name": "default",
"context_name": "default",
"out_kubeconfig": "new-kubeconfig.yaml",
"creds_dir": ".",
}
user.create(api_client, inputs)
Add a clusterrollbinding for the new user
kubectl create clusterrolebinding joe-admin --clusterrole=admin --user=joe
Low-Level CSR API Interaction
This example assumes you are connected to a Kubernetes cluster with a kubeconfig in the default location.
import kubernetes
from kubernetes import client, config
from k8s_user.k8s.csr_resource import CSRResource
from k8s_user.pki import CSRandKey, Cert
csr_name = 'joe'
# create a KEY and CSR
candk = CSRandKey(csr_name, additional_subject={"O": "jazstudios"})
# save the csr and key
candk.csr.save("joe.csr.pem")
candk.key.save("joe.key.pem")
# create the k8s api client. Load the kubeconfig from the default location (~/.kube/config)
api_client = config.new_client_from_config()
# Define the CertificateSigningRequest Kubernetes Resource
csr = CSRResource(
name=csr_name, # the name of the CertificateSigningRequest k8s object
csr_str=candk.csr.base64, # the base64 encoded csr string
metadata={"labels": {"foo": "bar"}}, # optional dict with fields matching k8s V1ObjectMeta object
)
# Check if the k8s CSR resource exists
csr.resource_exists(api_client)
# Create the k8s CSR resource
obj = csr.create(api_client)
# Check again if the k8s CSR resource exists (it will now)
csr.resource_exists(api_client)
# Approve the k8s CSR resource
approved_csr_obj = csr.approve(api_client)
# Get the certificate file
crt_str = csr.get_cert(api_client)
# Save the certificate to a file
candk = Cert(crt_data=base64.b64decode(crt_str))
candk.save('joe.crt.pem')
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for kubernetes_user-0.0.3-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | a3e0377104b1b309c4a8e2f909d8539073a478ab15967d15b542e160dacb9298 |
|
MD5 | 7b3c356662ddb808b2eabe1e32733ebb |
|
BLAKE2b-256 | fcd23949bc034eaa1c88bdcc6c9498fe886aacf6d29e75ed2f9c5359199b71ee |