9. Service Account et Roles
Installer kubernetes (v1.30.0)
Il suffit de suivre les instructions données ici
Installation de pgAdmin
Site officiel ici
Certificat x509
En tant Qu'admin
mkdir -p config/david && cd config/david
openssl genrsa -out david.key 4096
openssl req -new -subj "/O=dev/CN=david" -key david.key -out david.csr
csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: mycsr
spec:
groups:
- system:authenticated
request: ${BASE64_CSR}
signerName: kubernetes.io/kube-apiserver-client
usages:
- digital signature
- key encipherment
- client auth
export BASE64_CSR=$(cat ./david.csr | base64 | tr -d '\n')
cat csr.yaml | envsubst | kubectl apply -f -
kubectl certificate approve mycsr
kubectl get csr mycsr -o jsonpath='{.status.certificate}' | base64 --decode > david.crt
openssl x509 -in ./david.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
18:af:dc:0b:60:6d:b1:ec:c6:2a:36:1c:06:17:0b:03
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=minikubeCA
Validity
Not Before: Oct 15 05:52:14 2020 GMT
Not After : Oct 15 05:52:14 2021 GMT
Subject: O=dev, CN=david
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
...
kubectl create ns development
role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: development
name: dev
rules:
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["create", "get", "update", "list", "delete"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["create", "get", "update", "list", "delete"]
kubectl apply -f role.yaml
rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dev
namespace: development
subjects:
- kind: User
name: david
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: dev
apiGroup: rbac.authorization.k8s.io
kubectl apply -f rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev
namespace: development
subjects:
- kind: Group
name: dev
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: dev
apiGroup: rbac.authorization.k8s.io
kubeconfig.tpl
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority-data: "${CLUSTER_CA}"
server: ${CLUSTER_ENDPOINT}
name: ${CLUSTER_NAME}
users:
- name: ${USER}
user:
client-certificate-data: "${CLIENT_CERTIFICATE_DATA}"
contexts:
- context:
cluster: ${CLUSTER_NAME}
user: ${USER}
name: ${USER}-${CLUSTER_NAME}
current-context: ${USER}-${CLUSTER_NAME}
export USER="david"
export CLUSTER_NAME=$(kubectl config view --minify -o jsonpath={.current-context})
export CLIENT_CERTIFICATE_DATA=$(kubectl get csr mycsr -o jsonpath='{.status.certificate}')
export CLUSTER_CA=$(kubectl config view --minify --raw -o json | jq -r '.clusters[0].cluster["certificate-authority-data"]')
cat kubeconfig.tpl | envsubst > kubeconfig
** En tant que David
export KUBECONFIG=$PWD/kubeconfig
kubectl config set-credentials david \
--client-key=$PWD/david.key \
--embed-certs=true
port forwarding du service postgres
- ouvrir un powershell
- Naviguer dans le répertoire où se situe le fichier kubeconfig
$env:KUBECONFIG="$PWD\kubeconfig"
- afficher les différents services
kubectl get services
- port forward vers le service postgres
kubectl port-forward svc/postgres 8000:5432
Connexion à la BDD sur pgadmin
- Clic droit sur Servers, puis Register...
- Name: corpo_pgsql_test5
- Onglet connection:
- Host name: localhost
- Port: 8000
- Password: sa
- Save
La connexion doit être établie