Question

I've created a Kubernetes cluster on AWS with kops and can successfully control it via kubectl from my local machine. I need to enable other users to also administer.

kubectl config view gives the following:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://api.{CLUSTER_NAME}
  name: {CLUSTER_NAME}
contexts:
- context:
    cluster: {CLUSTER_NAME}
    user: {CLUSTER_NAME}
  name: {CLUSTER_NAME}
current-context: {CLUSTER_NAME}
kind: Config
preferences: {}
users:
- name: {CLUSTER_NAME}
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
    password: REDACTED
    username: admin
- name: {CLUSTER_NAME}-basic-auth
  user:
    password: REDACTED
    username: admin

Answer 1

Follow these steps:

1. create service account for user Alice

   kubectl create sa alice
   

2. Get related secret

   secret=$(kubectl get sa alice -o json | jq -r .secrets[].name)
   

3. Get ca.crt from secret (using OSX base64 with -D flag for decode)

   kubectl get secret $secret -o json | jq -r '.data["ca.crt"]' | base64 -D > ca.crt
   

4. Get service account token from secret

   user_token=$(kubectl get secret $secret -o json | jq -r '.data["token"]' | base64 -D)
   

5. Get information from your kubectl config (current-context, server..)

   # get current context
   c=`kubectl config current-context`
   
   # get cluster name of context
   name=`kubectl config get-contexts $c | awk '{print $3}' | tail -n 1`
   
   # get endpoint of current context 
   endpoint=`kubectl config view -o jsonpath="{.clusters[?(@.name == \"$name\")].cluster.server}"`
   

6. On a fresh machine, follow these steps (given the ca.cert and $endpoint information retrieved above:

   1. Install kubectl

      brew install kubectl
      

   2. Set cluster (run in directory where ca.crt is stored)

      kubectl config set-cluster cluster-staging \
        --embed-certs=true \
        --server=$endpoint \
        --certificate-authority=./ca.crt
      

   3. Set user credentials

      kubectl config set-credentials alice-staging --token=$user_token
      

   4. Define the combination of alice user with the staging cluster

      kubectl config set-context alice-staging \
        --cluster=cluster-staging \
        --user=alice-staging \
        --namespace=alice
      

   5. Switch current-context to alice-staging for the user

      kubectl config use-context alice-staging
      

Create a policy file to control user access with policies 

{
  "apiVersion": "abac.authorization.kubernetes.io/v1beta1",
  "kind": "Policy",
  "spec": {
    "user": "system:serviceaccount:default:alice",
    "namespace": "default",
    "resource": "*",
    "readonly": true
  }
}

Provision this policy.json on every master node and add --authorization-mode=ABAC --authorization-policy-file=/path/to/policy.json flags to API servers