Setup Authentication for KOPS+AWS (not managed) setup.

Click here to share this article on LinkedIn »

Don’t send everyone the admin credentials! Kops over AWS doesn’t have authentication included, so we need to think how to make it happen.

Kops lets you retrieve the entire kubernetes context config (the information you need to connect to your cluster remotely from terminal).

If you want to let other people in your team to connect to kubernetes you need to give them the information.

So, the easiest solution (and the most dangerous) is to give them aws credentials (that work with awscli for s3) and they can run:

kops export kubecfg --state s3://<BUCKET> --name=<CLUSTER_NAME>

it automatically set the context and the user. The biggest hazzard is that this let them use "admin" user by default. So they can do

anything on the cluster.



So you need to configure the different users (authentication) and what they can do (authorization) in the cluster.

Create a user

This is based on arveknudsen's excellent article on CA on Kubernetes



Let's configure user "viewer" that can only view stuff like "kubectl get pods" but cannot change stuff like "kubectl create ..."



1. Get the admin CA from s3. Download them to your computer. I prefer to do it manually, but you can:



aws s3 cp s3://$BUCKET/$CLUSTER/pki/private/ca/$KEY ca.key

aws s3 cp s3://$BUCKET/$CLUSTER/pki/issued/ca/$CERT ca.crt





2. Generate new CA for the new user.



openssl genrsa -out user.key 4096

openssl req -new -key user_viewer.key -out user_viewer.csr -subj '/CN=viewer/O=developer'

openssl x509 -req -in user_viewer.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out user_viewer.crt -days 365





this creates two new files: user_viewer.key and user_viewer.crt. You will send other team member these files later so they can authenticate to the cluster.

3. Create the role binding (role to username)



kubectl create clusterrolebinding viewer-cluster-admin-binding --clusterrole=view --user=viewer -n <NAMESPACE>



this will match the user-name (in the certificate) to the ClusterRole we want — you can create new roles that match the needs of the user/team.

Share with others

Create a package of files out of the following files:

- user_viewer.key

- user_viewer.crt

- download from s3 file bucket/cluster/pki/issued/master/XXXXXX.crt (you can use `aws s3 cp s3://$BUCKET/$CLUSTER/pki/issued/master/$KEY ca_master.crt`) - call it `ca_master.crt`



send this package to your team members and tell them to run:



kubectl config set-cluster <CLUSTER_NAME> --server=https://<URL> kubectl config set-cluster <CLUSTER_NAME> --certificate-authority=cluster.crt kubectl config set-credentials viewer --client-key=user_viewer.key --client-certificate=user_viewer.crt



kubectl config set-context <CLUSTER_NAME> --user=viewer --cluster <CLUSTER_NAME>



kubectl config use-context <CLUSTER_NAME>



now they can use kubectl as user 'viewer' to view things on the cluster.

Change the ClusterRole to let users access to certain namespaces or resources.