Difference between revisions of "Tutorials:Set up your Kubernetes user account"
m (→Get your user credentials (an OAuth ID token) from our server) |
m |
||
| Line 55: | Line 55: | ||
Mark everything and copy it to the clipboard. Paste it into your kubeconfig file .kube/config below the line "users:". If you have some background in programming, the structure of the kubeconfig file should be pretty obvious, and you will be able to extend it to include e.g. multiple identities and contexts which access different namespaces. This is quite useful for quickly switching between them without having to type so much. | Mark everything and copy it to the clipboard. Paste it into your kubeconfig file .kube/config below the line "users:". If you have some background in programming, the structure of the kubeconfig file should be pretty obvious, and you will be able to extend it to include e.g. multiple identities and contexts which access different namespaces. This is quite useful for quickly switching between them without having to type so much. | ||
| + | |||
| + | After this step, your .kube/config should look something like this: | ||
| + | |||
| + | <syntaxhighlight lang="yaml"> | ||
| + | apiVersion: v1 | ||
| + | clusters: | ||
| + | - cluster: | ||
| + | certificate-authority-data: LS0tLS1CRUdJ .... | ||
| + | server: https://134.34.224.84:6443 | ||
| + | name: ccu | ||
| + | contexts: | ||
| + | - context: | ||
| + | cluster: ccu | ||
| + | namespace: testing | ||
| + | user: your.username | ||
| + | name: me@ccu | ||
| + | kind: Config | ||
| + | preferences: {} | ||
| + | users: | ||
| + | - name: your.username | ||
| + | user: | ||
| + | auth-provider: | ||
| + | config: | ||
| + | client-id: loginapp | ||
| + | client-secret: 459679hg... | ||
| + | id-token: eyJhbGc... | ||
| + | idp-issuer-url: https://ccu.uni-konstanz.de:32000/dex | ||
| + | refresh-token: ChllcHl... | ||
| + | name: oidc | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | |||
== Enter the CCU context == | == Enter the CCU context == | ||
Revision as of 09:08, 18 June 2019
Unfortunately, making your identity known to the cluster on any machine is a decidedly manual process, which involves editing a local configuration that resides in ".kube/config".
Set up a .kube/config file
Create the subdirectory ".kube" in your home and set restrictive permissions. It will contain your cluster credentials, and anyone who has access to the files in there can steal your identity and impersonate you. We do not want this.
> cd ~
> mkdir .kube
> chmod 700 .kube
Create a file ".kube/config" and edit its contents as follows. To get the certificate authority data right, download it here: File:Kubeconfig template ccu.zip.
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJ ....
server: https://134.34.224.84:6443
name: ccu
contexts:
- context:
cluster: ccu
namespace: testing
user: your.username
name: me@ccu
kind: Config
preferences: {}
users:
Of course, substitute your own username at the indicated locations. You will later learn what to do about the namespace.
Get your user credentials (an OAuth ID token) from our server
The next step is to authenticate against our server, which will then create a credential (basically a secret token which only you should know) so that you can prove to the cluster that you are indeed who you claim you are.
- Go to the dex login application
- Keep the defaults on the first screen an hit "request token"
- Enter your CCU login. You will get something like this in return:
- name: your.username
user:
auth-provider:
config:
client-id: loginapp
client-secret: 459679hg...
id-token: eyJhbGc...
idp-issuer-url: https://ccu.uni-konstanz.de:32000/dex
refresh-token: ChllcHl...
name: oidc
Mark everything and copy it to the clipboard. Paste it into your kubeconfig file .kube/config below the line "users:". If you have some background in programming, the structure of the kubeconfig file should be pretty obvious, and you will be able to extend it to include e.g. multiple identities and contexts which access different namespaces. This is quite useful for quickly switching between them without having to type so much.
After this step, your .kube/config should look something like this:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJ ....
server: https://134.34.224.84:6443
name: ccu
contexts:
- context:
cluster: ccu
namespace: testing
user: your.username
name: me@ccu
kind: Config
preferences: {}
users:
- name: your.username
user:
auth-provider:
config:
client-id: loginapp
client-secret: 459679hg...
id-token: eyJhbGc...
idp-issuer-url: https://ccu.uni-konstanz.de:32000/dex
refresh-token: ChllcHl...
name: oidc
Enter the CCU context
You should now be able to enter the CCU context with your username and the namespace "testing" set up in the kubeconfig file as follows:
> kubectl config use-context me@ccu
Try it out:
> kubectl get pods
You are probably not in a valid namespace corresponding to your user groups yet, so will get an error which should look like this:
Error from server (Forbidden): pods is forbidden: User "https://ccu.uni-konstanz.de:32000/dex#test.user" cannot list resource "pods" in API group "" in the namespace "testing"
