I created the csr and approved it -
$ kubectl get csr
NAME AGE REQUESTOR CONDITION
parth-csr 28m kubernetes-admin Approved,Issued
Created the certificate using kubectl only with username parth and group devs
Issuer: CN=kubernetes
Validity
Not Before: Dec 16 18:51:00 2019 GMT
Not After : Dec 15 18:51:00 2020 GMT
Subject: O=devs, CN=parth
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
Here, I want to do the authentication on the basis of group - devs.
Clusterrole.yaml is as follows -
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: devs
rules:
- apiGroups: [""]
resources: ["nodes", "pods", "secrets", "pods", "pods/log", "configmaps", "services", "endpoints", "deployments", "jobs", "crontabs"]
verbs: ["get", "watch", "list"]
Clusterrolebinding.yaml as
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: devs-clusterrolebinding
subjects:
- kind: Group
name: devs # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: devs
apiGroup: rbac.authorization.k8s.io
Kubeconfig file is as follows -
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: XXXXXXXXXXXXX
server: https://XX.XX.XX.XX:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: parth
name: dev
current-context: "dev"
kind: Config
preferences: {}
users:
- name: parth
user:
client-certificate: /etc/kubernetes/access-credentials/parth/parth.crt
client-key: /etc/kubernetes/access-credentials/parth/parth.key
As I want to do auth using group only, I am getting the following error -
$ kubectl get nodes
error: You must be logged in to the server (Unauthorized)
I am running k8s on bare-metal. Group based auth reference from offical docs - https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding
After manually signing the certificate using apiserver ca, it got fixed.
I see you have given permission to groups and not to a user . In that case you need to use impersonation as group
kubectl get nodes --as-group=devs