|
| 1 | +## Kubeconfig |
| 2 | + |
| 3 | +kubectl uses one file which is kubeconfig to authenticate itself |
| 4 | + |
| 5 | +if client want then it need private key and client certificate |
| 6 | + |
| 7 | +## How to access the kubeconfig file on our machine |
| 8 | + |
| 9 | +```bash |
| 10 | +rahulxf@Rahuls-MacBook-Air-3 ~ % cd $HOME/.kube/ |
| 11 | + |
| 12 | +rahulxf@Rahuls-MacBook-Air-3 .kube % ls -l |
| 13 | +total 160 |
| 14 | +drwxr-x---@ 4 rahulxf staff 128 Jan 17 22:46 cache |
| 15 | +-rw-------@ 1 rahulxf staff 31948 Feb 17 10:48 config |
| 16 | +-rw-r--r-- 1 rahulxf staff 7973 Feb 4 16:01 karmada-apiserver.config |
| 17 | +-rw------- 1 rahulxf staff 13415 Feb 11 19:28 karmada.config |
| 18 | +-rw-r--r-- 1 rahulxf staff 4 Feb 17 10:43 kubectx |
| 19 | +drwxr-xr-x 4 rahulxf staff 128 Feb 17 10:48 kubens |
| 20 | +-rw-r--r-- 1 rahulxf staff 16652 Feb 2 22:01 members.config |
| 21 | + |
| 22 | +rahulxf@Rahuls-MacBook-Air-3 .kube % |
| 23 | + |
| 24 | +rahulxf@Rahuls-MacBook-Air-3 .kube % vim config |
| 25 | +rahulxf@Rahuls-MacBook-Air-3 .kube % vim config |
| 26 | +``` |
| 27 | + |
| 28 | +* config is the kubeconfig file |
| 29 | + |
| 30 | +``` |
| 31 | +apiVersion: v1 |
| 32 | +clusters: |
| 33 | +- cluster: |
| 34 | +certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURQRENDQWlTZ0F3SUJBZ0lDQm5Zd0RRWUpLb1pJa...... |
| 35 | +server: https://cp1.localtest.me:9443 |
| 36 | +
|
| 37 | +name: cp1-cluster |
| 38 | +- cluster: |
| 39 | +server: "" |
| 40 | +
|
| 41 | +name: its1 |
| 42 | +- cluster: |
| 43 | +certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJlRENDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPU.... |
| 44 | +server: https://its1.localtest.me:9443 |
| 45 | +name: its1-cluster |
| 46 | +
|
| 47 | +contexts: |
| 48 | +- context: |
| 49 | +cluster: kind-cluster1 |
| 50 | +user: kind-cluster1 |
| 51 | +name: cluster1 |
| 52 | +
|
| 53 | +- context: |
| 54 | +cluster: kind-cluster2 |
| 55 | +user: kind-cluster2 |
| 56 | +name: cluster2 |
| 57 | +
|
| 58 | +users: |
| 59 | +- name: cp1-admin |
| 60 | +user: |
| 61 | +client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURSVENDQWkyZ0F3SUJBZ0lDQm5vd0RRWUpLb1pJaHZjTkFRRUxCUUF3UHpFVE1CRUdBMVVFQ2hNS1MzVmkKWlhKdVpYUmxjekVUTUJFR0ExVUVDeE1LUVZCSklGTmxjblpsY2pFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbApjekFlRncweU5UQXhNVGN4TmpJek5UUmFGdzB6TlRB |
| 62 | +
|
| 63 | +client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcGdJQkFBS0NBUUVBM1l0MmgzVHp6NHgzYnU2akhJWXVDZHVKbWpTejNrSWtYVFczNEFHN2ZtR2hENS9DCjZNOFdtZGd1clFjU0doQVIyOENSaUhKUHoxckU4 |
| 64 | +
|
| 65 | +- name: its1-admin |
| 66 | +
|
| 67 | +user: |
| 68 | +
|
| 69 | +client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrRENDQVRlZ0F3SUJBZ0lJVmloSTBuYzg0dDR3Q2dZS |
| 70 | +
|
| 71 | +client-key-data: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tNNDkKQXdFSG9VUURRZ0FFa1ZXYWNmbmwyTlg0L1d6NCthVS9JVzVyU05lSVhGZW5ROT |
| 72 | +
|
| 73 | +- name: kind-cluster1 |
| 74 | +
|
| 75 | +user: |
| 76 | +client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLVENDQWhHZ0F3SUJBZ0lJR0ZhWGh1RFU4c2t3RFFZSktvWklW9 |
| 77 | +
|
| 78 | +client-key-data: LS0tLS |
| 79 | +``` |
| 80 | + |
| 81 | +How to add users |
| 82 | + |
| 83 | +``` |
| 84 | +$ kubectl config set-credentials devuser --client-certificate du.crt --client-key du.key |
| 85 | +
|
| 86 | +User "devuser" set. |
| 87 | +``` |
| 88 | + |
| 89 | +You also need to map it , i mean you need to add context for this user for the cluster |
| 90 | + |
| 91 | +``` |
| 92 | +$ kubectl config set-context --cluster kind-kind --user devuser |
| 93 | +
|
| 94 | +Context "devuser-kind" created |
| 95 | +``` |
| 96 | + |
| 97 | +``` |
| 98 | +- context: |
| 99 | + cluster: kind-kind |
| 100 | + user: devuser |
| 101 | + name: devuser-kind |
| 102 | +``` |
| 103 | + |
| 104 | +If you want to check which context we are using |
| 105 | + |
| 106 | +`$ kubectl config current-context` |
| 107 | + |
| 108 | +or |
| 109 | +you can install `kubectx` |
| 110 | + |
| 111 | +* Flow of kubectl for looking kubeconfig file |
| 112 | + 1) --kubeconfig flag to kubectl command |
| 113 | + 2) Then it will look for the environmental variable (env) |
| 114 | + 3) after in the last it will look for the $HOME/.kube/config file |
| 115 | + |
| 116 | +Suppose you want - 2,3 kubeconfig file as one file then you can do this like you can specify the kubeconfig file with colon(:) separated |
| 117 | + |
| 118 | +``` |
| 119 | +$ export KUBECONFIG=~/.kube/config:~/.kube/karmada.config:~/.kube/karmada-apiserver.config |
| 120 | +``` |
| 121 | + |
| 122 | +<img width="1120" alt="Screenshot 2025-02-18 at 11 21 48 PM" src="https://github.com/user-attachments/assets/d1d742bf-d308-42a8-bcf6-41b4d5c881da" /> |
| 123 | + |
| 124 | +To authenticate the user to kubernetes cluster we will do client certificate management |
| 125 | + |
| 126 | +docker ps (get the id ) |
| 127 | +docker exec -it <id> bash |
| 128 | +cd /etc/kubernetes/pki |
| 129 | +ls -l (you will see the key, csr and other files ) |
| 130 | + |
| 131 | + |
| 132 | +* So for creating private key and csr key you can run this command to generate |
| 133 | + |
| 134 | +<img width="1179" alt="shapes at 25-02-20 00 13 41" src="https://github.com/user-attachments/assets/2aedf2d0-8b1b-4a23-9ce0-c815020ec5fa" /> |
| 135 | + |
| 136 | +Generate new ssl key: |
| 137 | +----- |
| 138 | + |
| 139 | +``` |
| 140 | +$ openssl genrsa -out rahulxf.key 2048 |
| 141 | +``` |
| 142 | + |
| 143 | +Generate new certificate signing request for the issuer authority: |
| 144 | +---- |
| 145 | + |
| 146 | +``` |
| 147 | +#CN is the name of the user |
| 148 | +#O is the group name. When you will create the rolebinding do the binding based on group name. |
| 149 | +$ openssl req -new -key rahulxf.key -out rahulxf.csr -subj "/CN=rahulxf/0=developers" |
| 150 | +``` |
| 151 | + |
| 152 | +<img width="1157" alt="Screenshot 2025-02-19 at 12 46 29 AM" src="https://github.com/user-attachments/assets/c3cf391d-1a0a-4c4d-867f-da607225247f" /> |
| 153 | + |
| 154 | +<img width="986" alt="Screenshot 2025-02-19 at 12 56 19 AM" src="https://github.com/user-attachments/assets/850c5a52-7c21-44b0-89cc-1ce229dca0cd" /> |
| 155 | + |
| 156 | +The next step is to creating the user and setting up the context between the user and cluster in kubeconfig file |
| 157 | +------ |
| 158 | + |
| 159 | +``` |
| 160 | +# Adding user |
| 161 | +$ kubectl config set-credentials rahulxf --client-certificate rahulxf.crt --client-key rahulxf.key |
| 162 | +
|
| 163 | +# Creating context for the user and cluster |
| 164 | +$ kubectl config set-context rahulxf-kind --user rahulxf --cluster kind-cluster2 |
| 165 | +
|
| 166 | +``` |
| 167 | +<img width="937" alt="Screenshot 2025-02-20 at 12 17 04 AM" src="https://github.com/user-attachments/assets/6b653c3b-49e8-48f4-add9-9859023d9fe8" /> |
| 168 | + |
| 169 | +* Here you can look for the kubeconfig file |
| 170 | + |
| 171 | +<img width="1499" alt="Screenshot 2025-02-19 at 1 09 37 AM" src="https://github.com/user-attachments/assets/367eda1b-0ae6-4604-a2e7-62793769e42a" /> |
| 172 | + |
| 173 | +* see your context using command |
| 174 | + |
| 175 | +``` |
| 176 | +$ kubectl config current-context |
| 177 | +$ kubectl config get-contexts |
| 178 | +$ kubectl config use-context <context_name> |
| 179 | +
|
| 180 | +# OR use kubectx |
| 181 | +$ kubectx |
| 182 | +``` |
| 183 | +<img width="1094" alt="Screenshot 2025-02-19 at 1 10 23 AM" src="https://github.com/user-attachments/assets/093537f4-76b7-4f11-890e-77781eefa5cd" /> |
| 184 | + |
| 185 | +* allow namespaces |
| 186 | +<img width="1310" alt="Screenshot 2025-02-19 at 1 17 41 AM" src="https://github.com/user-attachments/assets/b9e2ca7c-ac1c-4b7c-9384-4ec96a951f15" /> |
| 187 | + |
| 188 | + |
| 189 | +* allow pods |
| 190 | +<img width="1310" alt="Screenshot 2025-02-19 at 1 23 04 AM" src="https://github.com/user-attachments/assets/9967a9df-bac0-42d9-9b3a-d177e764b2b5" /> |
0 commit comments