Siddhant Gupta DevOps Blogs

Create Role and RBAC for cluster with minimum access:

Create Role and RBAC for cluster with minimum access:

Siddhant Gupta's photo
Siddhant Gupta
·

4 min read

Step-1: openssl genrsa -out poc.key 2048

The command you provided generates a new RSA private key using OpenSSL with a key length of 2048 bits. The private key will be saved to a file named "poc.key" in the current directory.

  • openssl: This is the command to invoke OpenSSL.

  • genrsa: This is the OpenSSL command for generating an RSA private key.

  • -out gemeco-poc.key: This specifies the output file where the generated private key will be saved. In this case, it will be saved as "poc.key".

  • 2048: This parameter specifies the key length in bits. In this case, a 2048-bit key will be generate

Step-2: openssl req -new -key gemeco-poc.key -out poc.csr -subj "/CN=gemeco-poc/O=readonly"

The command you provided is used to generate a Certificate Signing Request (CSR) using OpenSSL. Here's a breakdown of the command:

  • openssl: This is the command to invoke OpenSSL.

  • req: This is the OpenSSL command for creating a CSR.

  • -new: This flag specifies that a new CSR is being created.

  • -key poc.key: This specifies the private key file (poc.key) that will be used to generate the CSR. The private key is necessary to establish the identity of the entity requesting the certificate.

  • -out poc.csr: This specifies the output file (poc.csr) where the generated CSR will be saved.

  • -subj "/CN=poc/O=readonly": This flag sets the subject field of the CSR with the provided information. The subject field contains the identity information of the entity requesting the certificate. In this case, the Common Name (CN) is set to "poc" and the Organization (O) is set to "readonly".

After running this command, you should have a file named "gemeco-poc.csr" containing the generated CSR, which can be used to request a digital certificate from a certificate authority (CA) to establish the authenticity and identity of the entity associated with the private key.

Step-3: scp <privateIP>:/etc/kubernetes/pki/ca.{crt,key} .

The scp command you provided is used to securely copy files between a local machine and a remote machine using the SSH protocol. In this case, you are copying the files /etc/kubernetes/pki/ca.crt and /etc/kubernetes/pki/ca.key from the remote machine with the private IP address <privateIP> to the current directory (.) on your local machine.

Here's a breakdown of the command:

  • scp: This is the command to initiate the secure file transfer using SSH.

  • <privateIP>: This is the private IP address of the remote machine from which you want to copy the files.

  • :/etc/kubernetes/pki/ca.{crt,key}: This specifies the source path on the remote machine. It uses brace expansion ({}) to indicate that both ca.crt and ca.key files should be copied.

  • .: This specifies the destination directory on your local machine. In this case, it represents the current directory.

After running this command, the ca.crt and ca.key files from the remote machine will be copied to the current directory on your local machine.

Step-4: openssl x509 -req -in poc.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out poc.crt -days 3650

The command you provided is used to sign a Certificate Signing Request (CSR) using OpenSSL and generate a corresponding certificate. Here's a breakdown of the command:

  • openssl: This is the command to invoke OpenSSL.

  • x509: This is the OpenSSL command for working with X.509 certificates.

  • -req: This flag indicates that a CSR is being used as input.

  • -in poc.csr: This specifies the input CSR file (poc.csr) that needs to be signed.

  • -CA ca.crt: This specifies the CA certificate file (ca.crt) that will be used to sign the CSR. The CA certificate is responsible for validating the CSR and generating the corresponding certificate.

  • -CAkey ca.key: This specifies the private key file (ca.key) associated with the CA certificate. The private key is required to sign the CSR and generate the certificate.

  • -CAcreateserial: This flag instructs OpenSSL to create a serial number file if it does not exist. The serial number file is used to uniquely identify the generated certificate.

  • -out poc.crt: This specifies the output file (poc.crt) where the signed certificate will be saved.

  • -days 3650: This sets the validity period of the certificate to 3650 days (approximately 10 years).

After running this command, you should have a file named poc.crt containing the signed certificate generated from the provided CSR, signed by the CA specified by ca.crt and ca.key. The certificate will be valid for 3650 days.

AND THE LAST:

This will help us to create a config file with the specified values:

  1. kubectl --kubeconfig poc.config config set-cluster kubernetes --server <privateIP> --certificate-authority=ca.crt

  2. kubectl --kubeconfig monitor.config config set-credentials poc --cliet-certificate poc.crt --client-key poc.key

  3. kubectl --kubeconfig poc.config config set-credentials poc --client-certificate monitor.crt --client-key poc.key

  4. kubectl --kubeconfig monitor.config config set-context monitor-kubernetes --cluster kubernetes --user poc

Now, the last step is to access our cluster through config filr, i.e. poc.config (in my case)

CMD:

kubectl --kubeconfig poc.config get pods

THANK YOU!!

DevopsTrainWithShubhamdevelopmentDevOps JourneyKubernetes