Add userspace chart and docs
This allows easy creation of user namespaces with limited permissions.
This commit is contained in:
227
README.md
227
README.md
@@ -24,6 +24,22 @@ A project to store container-based hosting stuff.
|
||||
- [Jellyfin](#jellyfin)
|
||||
- [Iperf3](#iperf3)
|
||||
- [Upgrading](#upgrading)
|
||||
- [Create a Userspace](#create-a-userspace)
|
||||
- [Quickstart](#quickstart)
|
||||
- [Userspace](#userspace)
|
||||
- [Namespace](#namespace)
|
||||
- [Roles](#roles)
|
||||
- [Rolebinding](#rolebinding)
|
||||
- [Manual Steps](#manual-steps)
|
||||
- [Create a kubernetes certsigner pod](#create-a-kubernetes-certsigner-pod)
|
||||
- [Create the certsigner secret](#create-the-certsigner-secret)
|
||||
- [Set up the certsigner pod](#set-up-the-certsigner-pod)
|
||||
- [Generate a cert](#generate-a-cert)
|
||||
- [Create a new Userspace](#create-a-new-userspace)
|
||||
- [Sign the cert](#sign-the-cert)
|
||||
- [Add to the config](#add-to-the-config)
|
||||
- [Delete](#delete)
|
||||
- [Signing a user cert - detailed notes](#signing-a-user-cert---detailed-notes)
|
||||
- [Help](#help)
|
||||
- [Troubleshooting](#troubleshooting)
|
||||
|
||||
@@ -620,6 +636,217 @@ mv k3s /usr/local/bin/k3s
|
||||
systemctl start k3s
|
||||
```
|
||||
|
||||
## Create a Userspace
|
||||
|
||||
This creates a user, namespace, and permissions with a simple script.
|
||||
|
||||
### Quickstart
|
||||
|
||||
```bash
|
||||
# Create certsigner pod for all other operations
|
||||
./setup.sh <server_fqdn>
|
||||
|
||||
# Create a user, use "admin" to create an admin user
|
||||
./adduser <server_fqdn> <user>
|
||||
|
||||
# Create a namespace and allow <user> to access it
|
||||
./createprojectspace <server_fqdn> <user> <project>
|
||||
|
||||
# Update a project namespace with the contents of ./namespace
|
||||
./updateprojectspace <server_fqdn> <user> <project>
|
||||
|
||||
# Remove a user, their namespace, and their access
|
||||
./removeuserspace <server_fqdn> <user>
|
||||
```
|
||||
|
||||
### Userspace
|
||||
|
||||
#### Namespace
|
||||
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: {{ .Release.Name }}
|
||||
```
|
||||
|
||||
#### Roles
|
||||
|
||||
```yaml
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: namespace-manager
|
||||
namespace: {{ .Release.Name }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
- extensions
|
||||
- apps
|
||||
- batch
|
||||
- autoscaling
|
||||
- networking.k8s.io
|
||||
- traefik.containo.us
|
||||
- rbac.authorization.k8s.io
|
||||
- metrics.k8s.io
|
||||
resources:
|
||||
- deployments
|
||||
- replicasets
|
||||
- pods
|
||||
- pods/exec
|
||||
- pods/log
|
||||
- pods/attach
|
||||
- daemonsets
|
||||
- statefulsets
|
||||
- replicationcontrollers
|
||||
- horizontalpodautoscalers
|
||||
- services
|
||||
- ingresses
|
||||
- persistentvolumeclaims
|
||||
- jobs
|
||||
- cronjobs
|
||||
- secrets
|
||||
- configmaps
|
||||
- serviceaccounts
|
||||
- rolebindings
|
||||
- ingressroutes
|
||||
- middlewares
|
||||
- endpoints
|
||||
verbs:
|
||||
- "*"
|
||||
- apiGroups:
|
||||
- ""
|
||||
- metrics.k8s.io
|
||||
- rbac.authorization.k8s.io
|
||||
resources:
|
||||
- resourcequotas
|
||||
- roles
|
||||
verbs:
|
||||
- list
|
||||
```
|
||||
|
||||
#### Rolebinding
|
||||
|
||||
```yaml
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
namespace: {{ .Release.Name }}
|
||||
name: namespace-manager
|
||||
subjects:
|
||||
- kind: User
|
||||
name: {{ .Release.Name }}
|
||||
apiGroup: ""
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: namespace-manager
|
||||
apiGroup: ""
|
||||
```
|
||||
|
||||
### Manual Steps
|
||||
|
||||
#### Create a kubernetes certsigner pod
|
||||
|
||||
This keeps the client-ca crt and key secret and allows the cert to be signed and stored on the pod
|
||||
|
||||
#### Create the certsigner secret
|
||||
|
||||
```bash
|
||||
kubectl -n kube-system create secret generic certsigner --from-file /var/lib/rancher/k3s/server/tls/client-ca.crt --from-file /var/lib/rancher/k3s/server/tls/client-ca.key
|
||||
```
|
||||
|
||||
#### Set up the certsigner pod
|
||||
|
||||
```bash
|
||||
scp certsigner.yaml <server>:~/certsigner.yaml
|
||||
kubectl apply -f certsigner.yaml
|
||||
```
|
||||
|
||||
#### Generate a cert
|
||||
|
||||
```bash
|
||||
export USER=<user>
|
||||
docker run -it -v $(pwd)/users/$USER:/$USER python:latest openssl genrsa -out /$USER/$USER.key 2048
|
||||
docker run -it -v $(pwd)/users/$USER:/$USER python:latest openssl req -new -key /$USER/$USER.key -out /$USER/$USER.csr -subj "/CN=$USER/O=user"
|
||||
```
|
||||
|
||||
#### Create a new Userspace
|
||||
|
||||
```bash
|
||||
helm template $USER ./namespace | kubectl --context admin apply -f -
|
||||
```
|
||||
|
||||
#### Sign the cert
|
||||
|
||||
```bash
|
||||
export USER=<user>
|
||||
kubectl --context admin cp $(pwd)/users/$USER/$USER.csr certsigner:/certs/$USER.csr
|
||||
kubectl --context admin exec -it --context admin certsigner -- openssl x509 -in /certs/$USER.csr -req -CA /keys/client-ca.crt -CAkey /keys/client-ca.key -CAcreateserial -out /certs/$USER.crt -days 5000
|
||||
kubectl --context admin cp certsigner:/certs/$USER.crt $(pwd)/users/$USER/$USER.crt
|
||||
```
|
||||
|
||||
#### Add to the config
|
||||
|
||||
```bash
|
||||
kubectl config set-credentials $USER --client-certificate=$USER.crt --client-key=$USER.key
|
||||
kubectl config set-context $USER --cluster=mainframe --namespace=$USER --user=$USER
|
||||
```
|
||||
|
||||
#### Delete
|
||||
|
||||
```bash
|
||||
kubectl config delete-context $USER
|
||||
helm template $USER ./namespace | kubectl --context admin delete -f -
|
||||
```
|
||||
|
||||
### Signing a user cert - detailed notes
|
||||
|
||||
NOTE: ca.crt and ca.key are in /var/lib/rancher/k3s/server/tls/client-ca.*
|
||||
|
||||
```bash
|
||||
# First we create the credentials
|
||||
# /CN=<username> - the user
|
||||
# /O=<group> - the group
|
||||
|
||||
# Navigate to the user directory
|
||||
export USER=<username>
|
||||
cd $USER
|
||||
|
||||
# Generate a private key
|
||||
openssl genrsa -out $USER.key 2048
|
||||
# Check the key
|
||||
# openssl pkey -in ca.key -noout -text
|
||||
# Generate and send me the CSR
|
||||
# The "user" group is my default group
|
||||
openssl req -new -key $USER.key -out $USER.csr -subj "/CN=$USER/O=user"
|
||||
|
||||
# Check the CSR
|
||||
# openssl req -in $USER.csr -noout -text
|
||||
# If satisfactory, sign the CSR
|
||||
# Copy from /var/lib/rancher/k3s/server/tls/client-ca.crt and client-ca.key
|
||||
openssl x509 -req -in $USER.csr -CA ../client-ca.crt -CAkey ../client-ca.key -CAcreateserial -out $USER.crt -days 5000
|
||||
# Review the certificate
|
||||
# openssl x509 -in $USER.crt -text -noout
|
||||
|
||||
# Send back the crt
|
||||
# cp $USER.crt $USER.key ../server-ca.crt ~/.kube/
|
||||
kubectl config set-credentials $USER --client-certificate=$USER.crt --client-key=$USER.key
|
||||
kubectl config set-context $USER --cluster=mainframe --namespace=$USER --user=$USER
|
||||
|
||||
# Now we create the namespace, rolebindings, and resource quotas
|
||||
# kubectl apply -f k8s/
|
||||
|
||||
# Add the cluster
|
||||
# CA file can be found at https://3.14.3.100:6443/cacerts
|
||||
- cluster:
|
||||
certificate-authority: server-ca.crt
|
||||
server: https://3.14.3.100:6443
|
||||
name: mainframe
|
||||
|
||||
# Test if everything worked
|
||||
kubectl --context=$USER-context get pods
|
||||
```
|
||||
|
||||
## Help
|
||||
|
||||
### Troubleshooting
|
||||
|
||||
Reference in New Issue
Block a user