add user cert creation

2020-08-12 11:11:56 -04:00
parent 74e2e51f72
commit ab1b20620f
1 changed files with 14 additions and 15 deletions
--- a/README.md
+++ b/README.md
@@ -2,12 +2,10 @@
 ## Raspberry Pi
-Enable cgroups
+Enable cgroups by adding the following to the end of /boot/cmdline.txt
 ```bash
-sudo vim /boot/cmdline.txt
+cgroup_memory=1 cgroup_enable=memory
 ... cgroup_memory=1 cgroup_enable=memory
 ```
 Enable legacy iptables
@@ -19,7 +17,7 @@ sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
 sudo reboot
 ```
-Install k3s on our sacrificial server
+Install k3s on our sacrificial server (assuming you have etcd configured)
 ```bash
 curl -sfL https://get.k3s.io | sh -s - server \
@@ -42,14 +40,7 @@ curl -sfL https://get.k3s.io | sh -s - server \
    --server https://3.14.3.107
 ```
-Test a bunch of deploys
+Generate certs for a new user
 ```bash
 for i in {1..100}; do kubectl create deploy test$i --image=nginx & done;
 for i in {1..100}; do kubectl delete deploy test$i & done;
 ```
 Generate certs
 ```bash
 export USER=<username>
@@ -59,6 +50,14 @@ openssl genrsa -out $USER.key 2048
 openssl req -new -key $USER.key -out $USER.csr -subj "/CN=$USER/O=user"
 sudo openssl x509 -req -in $USER.csr -CA /var/lib/rancher/k3s/server/tls/client-ca.crt -CAkey /var/lib/rancher/k3s/server/tls/client-ca.key -CAcreateserial -out $USER.crt -days 5000
 sudo chown pi:pi $USER.crt
-sudo kubectl create role $USER --verb=* --resource=deployments,pods,pods/exec,pods/log,pods/attach,services,ingresses,ingressroutes,secrets,configmaps,persistentvolumeclaims
+sudo kubectl create namespace $USER
-sudo kubectl create rolebinding $USER --role=$USER --user=$USER
+sudo kubectl -n $USER create role $USER --verb=get,list,create,update,patch,watch,delete,deletecollection --resource=deployments,pods,pods/exec,pods/log,pods/attach,services,ingresses,secrets,configmaps,persistentvolumeclaims
 sudo kubectl -n $USER create rolebinding -n ducoterra $USER --role=$USER --user=$USER
 ```
 Test a bunch of deploys
 ```bash
 for i in {1..100}; do kubectl create deploy test$i --image=nginx; done;
 for i in {1..100}; do kubectl delete deploy test$i; done;
 ```