96 lines
2.2 KiB
Markdown
96 lines
2.2 KiB
Markdown
# casa on Icarus - admin
|
|
|
|
Requires kubernetes admin user access to icarus. All documentation and scripts must be executed on icarus context with an admin account.
|
|
|
|
Currently using an symbolic on icarus project on my dev device to this file.
|
|
|
|
## kubernetes Namespace
|
|
|
|
```bash
|
|
# delete namespace
|
|
kubectl create namespace casa-limbosolutions-com
|
|
```
|
|
|
|
```bash
|
|
# delete namespace
|
|
kubectl delete namespace casa-limbosolutions-com
|
|
```
|
|
|
|
## Roles and Bindings
|
|
|
|
``` yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
namespace: casa-limbosolutions-com
|
|
name: casa-limbosolutions-com
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
- cert-manager.io # to access deployments certs from cert-manager
|
|
- apps # to access deployments
|
|
- networking.k8s.io # to access ingresses
|
|
resources:
|
|
- pods
|
|
- services
|
|
- secrets
|
|
- certificates
|
|
- deployments
|
|
- configmaps
|
|
- ingresses
|
|
- persistentvolumeclaims
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- create
|
|
- update
|
|
- patch
|
|
- delete
|
|
- deletecollection
|
|
```
|
|
|
|
``` yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: casa-limbosolutions-com-rb # Replace with your role binding name
|
|
namespace: casa-limbosolutions-com # Replace with your namespace
|
|
subjects:
|
|
- kind: User # or "ServiceAccount" for service accounts
|
|
name: casa # Replace with the username or service account name
|
|
apiGroup: rbac.authorization.k8s.io
|
|
namespace: casa-limbosolutions-com
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: casa-limbosolutions-com # The name of the role you created
|
|
apiGroup: rbac.authorization.k8s.io
|
|
```
|
|
|
|
### kubernetes User
|
|
|
|
```bash
|
|
#Deploy csr to k3s
|
|
cat <<EOF | kubectl apply -f -
|
|
apiVersion: certificates.k8s.io/v1
|
|
kind: CertificateSigningRequest
|
|
metadata:
|
|
name: casa-user-csr
|
|
spec:
|
|
request: $(cat ../.env.d/.kube/casa@icarus-user.csr | base64 | tr -d '\n')
|
|
signerName: kubernetes.io/kube-apiserver-client
|
|
usages:
|
|
- client auth
|
|
EOF
|
|
```
|
|
|
|
```bash
|
|
# Approve csr
|
|
kubectl certificate approve casa-user-csr
|
|
```
|
|
|
|
```bash
|
|
# Download kubernet user crt
|
|
kubectl get csr casa-user-csr -o jsonpath='{.status.certificate}' | base64 --decode > ./.env.d/casa@icarus-user.crt
|
|
```
|