Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BOP-1466] Client bundle docs #180

Open
byDimasik opened this issue Nov 7, 2024 · 2 comments
Open

[BOP-1466] Client bundle docs #180

byDimasik opened this issue Nov 7, 2024 · 2 comments
Assignees
Labels
Docs-B Should Do
Milestone

Comments

@byDimasik
Copy link
Collaborator

byDimasik commented Nov 7, 2024

Description

In addition to the MKE Dashboard, users can use kubectl to access and manipulate the MKE 4 cluster. To use kubectl, each user needs a kubeconfig file. This article describes how MKE 4 cluster admins can create kubeconfig files for themselves or other users.

Comparison with MKE 3 client bundles

In MKE 3, users could download client certificate bundles that included a kubeconfig file in addition to certificate files used to configure Docker CLI. In MKE 4, there is no need for a bundle, just the kubeconfig file is sufficient as it already has all necessary certificates embedded.

In MKE 3, client bundles could be created by admin users for any other users, or by non-admin users only for themselves. Previously created client bundles could be viewed and revoked.

Currently, in MKE 4, only admin users are able to create kubeconfig files. Previously created kubeconfig files cannot be viewed or revoked. Thus, the expiration time of the certificates used in the kubeconfig files should be set appropriately.

Below is the table that lists all major differences between MKE 3 client bundles and MKE 4 kubeconfig files:

Feature MKE 3 client bundles MKE 4 kubeconfig files
Create by admins for other users
Create by admins for themselves
Create by non-admins for other users
Create by non-admins for themselves
View previously created bundles
Revoke previously created bundles
Set expiration time of certificates
Can be generated from MKE UI
Non-admin certs are issued by a separate CA that is trusted by kube API server, but not trusted by other components like kubelet

Create

The only way to create a kubeconfig file for a specific user is to run the shell script below as an admin user. You should run the script below from the same place where you previously configured your MKE 4 cluster with mkectl apply. Alternatively, you may run the script if another admin previously issued you a kubeconfig file with admin-level permissions.

Prerequisites

Steps

  1. If you haven't already, create a new user ("Access Control" -> "Users") and assign them a role ("Access Control" -> "Permissions")
  2. In a terminal session where you are already able to use kubectl as an MKE 4 cluster administrator, set the following variables:
    # username of the target user 
    USERNAME=
    
    # expiration time in days
    EXPIRES_IN_DAYS=7
    
    # expiration time in seconds is automatically calculated from EXPIRES_IN_DAYS
    EXPIRES_IN_SECONDS=$((EXPIRES_IN_DAYS * 24 * 60 * 60))
    
    # the default kubeconfig location for MKE 4 clusters created by mkectl apply. Do not change unless you know what you're doing
    KUBECONFIG=~/.mke/mke.kubeconf
    Make sure you set the expiration time to a reasonable value. You will not be able to revoke the certificates used by the new kubeconfig file. The default value is 7 days.
  3. Run the following commands in the terminal session. It will create a kubeconfig file in the same directory <username>.kubeconfig
    export KUBECONFIG
    
    openssl genrsa -out $USERNAME.key 2048
    openssl req -new -key $USERNAME.key -out $USERNAME.csr -subj "/CN=$USERNAME"
    
    CSR_CONTENT=$(cat $USERNAME.csr | base64 | tr -d '\n')
    CSR_NAME=$USERNAME-csr-$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 10; echo)
    
    cat <<EOF | envsubst | kubectl apply -f -
    apiVersion: certificates.k8s.io/v1
    kind: CertificateSigningRequest
    metadata:
      name: $CSR_NAME
    spec:
      request: $CSR_CONTENT
      signerName: kubernetes.io/kube-apiserver-client
      expirationSeconds: $EXPIRES_IN_SECONDS
      usages:
      - client auth
    EOF
    
    kubectl certificate approve "$CSR_NAME"
    kubectl get csr "$CSR_NAME" -o jsonpath='{.status.certificate}' | base64 --decode > $USERNAME.crt
    
    kubectl config view --minify --flatten > $USERNAME.kubeconfig
    kubectl config unset users --kubeconfig=$USERNAME.kubeconfig > /dev/null
    kubectl config unset contexts --kubeconfig=$USERNAME.kubeconfig > /dev/null
    
    kubectl config set-credentials $USERNAME --client-certificate=$USERNAME.crt --client-key=$USERNAME.key --embed-certs=true --kubeconfig=$USERNAME.kubeconfig
    kubectl config set-context mke-$USERNAME --cluster=mke --user=$USERNAME --kubeconfig=$USERNAME.kubeconfig
    kubectl config use-context mke-$USERNAME --kubeconfig=$USERNAME.kubeconfig
    
    rm $USERNAME.crt $USERNAME.csr $USERNAME.key
  4. You can now send the generated <username>.kubeconfig file to the target user. They can use it to access the MKE 4 cluster with kubectl --kubeconfig.

Warning

The certificates issued with these steps may be used to access kubelet because the signer we used to sign our certs is the same as the kubelet client CA. To prevent any security risks, admins should ensure that kubelet is not accessible from outside of the cluster.

List

Currently, there is no way to list previously created kubeconfig files.

Revoke

Currently, there is no way to revoke previously created kubeconfig files.

@byDimasik byDimasik changed the title Client bundle docs [BOP-1466] Client bundle docs Nov 7, 2024
@rleap-m
Copy link
Collaborator

rleap-m commented Nov 14, 2024

Since I heard it mentioned about the tedium of producing the kubeconfig files in the TOI just thought I'd drop a link to the script I created which will create the kubeconfig files for migrated MKE3 admins here for ease of reference:

create_mke_cluster_admin_kubeconfig_files.sh

Cheers!

@ry4nz ry4nz added this to the 4.0.0 milestone Nov 18, 2024
@KoryKessel-Mirantis KoryKessel-Mirantis self-assigned this Dec 11, 2024
@KoryKessel-Mirantis KoryKessel-Mirantis added the Docs-B Should Do label Dec 11, 2024
@dockerpac
Copy link
Contributor

Please note that k0s provides a command to automate this process: https://docs.k0sproject.io/stable/user-management/

The process is straightforward—just run the following command on a controller, and the kubeconfig is displayed in the standard output:

$ k0s kubeconfig create toto --groups dev

However, I don’t believe managing users via x509 certificates is an ideal approach for several reasons:

1. Lack of Integration with Dex
Users created this way have no correlation with Dex-managed users. It’s possible to generate x509 certificates for users who don’t exist in Dex, which feels inconsistent and awkward.

2. No Certificate Revocation
There’s no mechanism to revoke these certificates, which presents a significant security risk. For example, in MKE3, x509 certificates were also used, but if a user was deleted from MKE, they would automatically lose access to the cluster via their client bundle.

3. Limited and Inflexible Group Membership Management
While it’s possible to assign groups to a user during certificate issuance (e.g., by adding O= to the subject name), The user’s group membership is determined when the certificate is generated. This means any changes to the group structure or the user’s roles require issuing a new certificate, which is not practical for dynamic or large-scale environments.
Group membership must be managed by DEX, using whatever authentication configured by the customer : dex local users (which I'm not sure it can manage groups), LDAP, SAML, OIDC, ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Docs-B Should Do
Projects
None yet
Development

No branches or pull requests

5 participants