Created
May 18, 2020 17:02
-
-
Save wwitzel3/c448816e103c839d582f1faab0174c0e to your computer and use it in GitHub Desktop.
kubectl client key authorization expired cert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
~/.kube docker exec kind-control-plane cat /etc/kubernetes/pki/ca.key > ~/repos/octant/kind.ca.key | |
~/.kube docker exec kind-control-plane cat /etc/kubernetes/pki/ca.crt > ~/repos/octant/kind.ca.crt | |
openssl genrsa -out readonly.key 2048 | |
openssl req -new -key readonly.key -out readonly.csr -subj "/CN=readonly/O=octant" | |
openssl x509 -req -in readonly.csr -CA kind.ca.crt -CAkey kind.ca.key -CAcreateserial -out readonly.crt -days 500 | |
✘ ~/podreader cat 01-clusterrole.yaml | |
kind: ClusterRole | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: pod-reader | |
rules: | |
- apiGroups: [""] | |
resources: ["pods"] | |
verbs: ["list", "get", "watch"] | |
- apiGroups: ["extensions", "apps"] | |
resources: ["deployments", "replicasets"] | |
verbs: ["list", "watch", "get"] | |
~/podreader cat 02-rolebinding.yaml | |
kind: RoleBinding | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
namespace: 'default' | |
name: pod-reader | |
subjects: | |
- kind: User | |
name: readonly | |
apiGroup: rbac.authorization.k8s.io | |
roleRef: | |
kind: ClusterRole | |
name: pod-reader | |
apiGroup: rbac.authorization.k8s.io | |
k config set-credentials readonly --client-certificate=/home/wwitzel3/podreader/readonly.crt --client-key=/home/wwitzel3/podreader/readonly.key | |
k --user readonly get ns | |
Error from server (Forbidden): namespaces is forbidden: User "readonly" cannot list resource "namespaces" in API group "" at the cluster scope | |
✘ ~/podreader k --user readonly get pod | |
No resources found. | |
~/podreader faketime 'yesterday 12:40' openssl x509 -req -in readonly.csr -CA kind.ca.crt -CAkey kind.ca.key -CAcreateserial -out readonly.crt -days 1 | |
Signature ok | |
subject=/CN=readonly/O=octant | |
Getting CA Private Key | |
~/podreader k --user readonly get pod | |
error: You must be logged in to the server (Unauthorized) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment