Cluster Hardening – RBAC

title: “Cluster Hardening – RBAC”
date: 2020-12-09T22:19:34
slug: cluster-hardening-rbac

Create roles/clusterroles and rolebinding/clusterrolebinding

Check it with (in a specified namespace)

k -n red auth can-i get secrets --as jane

in all namespaces

k auth can-i get secrets -A --as jane

Create a User Certificate
Create CSR

openssl req -new --newkey rsa:4096 -keyout xforze.key -out xforze.csr -nodes

Put the csr xforze.csr “base64 -w 0” encoded in the File and set the name:

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
 name: xforze
spec:
 groups:
 - system:authenticated
 request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTdmJXVXRVM1JoZEdVeApJVEFmQmdOVkJBb01HRWx1ZEdWeW......
 signerName: kubernetes.io/kube-apiserver-client
 usages:
 - client auth

List Sertificatesigningrequests

k get certificatesigningrequests

Approve certificate with:

k certificate approve xforze

Get the Certificate:

k get certificatesigningrequests xforze -o yaml

decode it with base64 -d
OR:

k get certificatesigningrequests xforze -o jsonpath='{.status.certificate}' | base64 -d
k get certificatesigningrequests xforze -o jsonpath='{.status.certificate}' | base64 -d > xforze.crt

Set the user in kubeconfig

k config set-credentials xforze --client-key=xforze.key --client-certificate=xforze.crt --embed-certs

Add a new Context

k config set-context xforze --user=xforze --cluster=kubernetes

Use the new Context

k config use-config xforze
Print Friendly, PDF & Email