Skip to content

9. Service Account et Roles

Installer kubernetes (v1.30.0)

Il suffit de suivre les instructions données ici

Installation de pgAdmin

Site officiel ici

Certificat x509

En tant Qu'admin

mkdir -p config/david && cd config/david
openssl genrsa -out david.key 4096
openssl req -new -subj "/O=dev/CN=david" -key david.key -out david.csr

csr.yaml

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: mycsr
spec:
  groups:
  - system:authenticated
  request: ${BASE64_CSR}
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - digital signature
  - key encipherment
  - client auth
export BASE64_CSR=$(cat ./david.csr | base64 | tr -d '\n')
cat csr.yaml | envsubst | kubectl apply -f -
kubectl certificate approve mycsr
kubectl get csr mycsr -o jsonpath='{.status.certificate}' | base64 --decode > david.crt
openssl x509 -in ./david.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            18:af:dc:0b:60:6d:b1:ec:c6:2a:36:1c:06:17:0b:03
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=minikubeCA
        Validity
            Not Before: Oct 15 05:52:14 2020 GMT
            Not After : Oct 15 05:52:14 2021 GMT
        Subject: O=dev, CN=david
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
...
kubectl create ns development

role.yaml

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 namespace: development
 name: dev
rules:
- apiGroups: [""]
  resources: ["pods", "services"]
  verbs: ["create", "get", "update", "list", "delete"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["create", "get", "update", "list", "delete"]
kubectl apply -f role.yaml

rolebinding.yaml

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: dev
 namespace: development
subjects:
- kind: User
  name: david
  apiGroup: rbac.authorization.k8s.io
roleRef:
 kind: Role
 name: dev
 apiGroup: rbac.authorization.k8s.io
kubectl apply -f rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
 name: dev
 namespace: development
subjects:
- kind: Group
  name: dev
  apiGroup: rbac.authorization.k8s.io
roleRef:
 kind: Role
 name: dev
 apiGroup: rbac.authorization.k8s.io

kubeconfig.tpl

apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority-data: "${CLUSTER_CA}"
    server: ${CLUSTER_ENDPOINT}
  name: ${CLUSTER_NAME}
users:
- name: ${USER}
  user:
    client-certificate-data: "${CLIENT_CERTIFICATE_DATA}"
contexts:
- context:
    cluster: ${CLUSTER_NAME}
    user: ${USER}
  name: ${USER}-${CLUSTER_NAME}
current-context: ${USER}-${CLUSTER_NAME}
export USER="david"
export CLUSTER_NAME=$(kubectl config view --minify -o jsonpath={.current-context})
export CLIENT_CERTIFICATE_DATA=$(kubectl get csr mycsr -o jsonpath='{.status.certificate}')
export CLUSTER_CA=$(kubectl config view --minify --raw -o json | jq -r '.clusters[0].cluster["certificate-authority-data"]')
cat kubeconfig.tpl | envsubst > kubeconfig

** En tant que David

export KUBECONFIG=$PWD/kubeconfig
kubectl config set-credentials david \
  --client-key=$PWD/david.key \
  --embed-certs=true

port forwarding du service postgres

  • ouvrir un powershell
  • Naviguer dans le répertoire où se situe le fichier kubeconfig
$env:KUBECONFIG="$PWD\kubeconfig"
  • afficher les différents services
kubectl get services
  • port forward vers le service postgres
kubectl port-forward svc/postgres 8000:5432

Connexion à la BDD sur pgadmin

  • Clic droit sur Servers, puis Register...
  • Name: corpo_pgsql_test5
  • Onglet connection:
    • Host name: localhost
    • Port: 8000
    • Password: sa
  • Save

La connexion doit être établie