Kubernetes Commands

 To create A service account - imperatively - kubectl create serviceaccount k8s-svc-account

Declarative way of creating a service account

apiVersion: v1
kind: ServiceAccount
metadata:
  name: k8s-svc-account

Listing service accounts - kubectl get serviceaccounts

Rendering service account details - kubectl describe serviceaccount k8s-svc-account

Listing roles - kubectl get roles

Listing deployments - kubectl get deployments

Deleting deployments - kubectl delete deployment myapp

Initializing Control Plane node

kubeadm init --pod-cidr 172.16.0.0/16 --apiserver-advertise-address 10.1.1.1

Deploy a Container Network Interface (CNI) plugin so that the pods can communicate with each other

kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version= $(kubectl version | base64 | tr -d '\n')"

Verify if the control plane node indicates "Ready" status using - kubectl get nodes

Joining Worker nodes - kubeadm join 10.1.1.1:6443 --token xxxxxxx ssh256:xxxxx

Creating roles - imperative approach

$ kubectl create role read-only --verb=list,get,watch \
  --resource=pods,deployments,services
role.rbac.authorization.k8s.io/read-only created

Kubernetes RBAC Authentication strategies

K8s requires that calls to the API server with a user must be authenticated. For successful authentication, K8s offers the following authentication methods :

1. X.509 client certificate = Uses an OpenSSL client certificate to authenticate

2. Basic authentication = Uses username and password to authenticate

3. Bearer tokens = Uses OpenID (a flavor of OAuth2) or webhooks as a way to authenticate

Steps for deploying X.509 client certificate based authentication:

1. Log into the Kubernetes control plane node and create a temporary directory that will hold the generated keys. Navigate into the directory:

   $ mkdir cert && cd cert

2. Create a private key using the openssl executable. Provide an expressive file name, such as <username>.key:

   $ openssl genrsa -out johndoe.key 2048
   Generating RSA private key, 2048 bit long modulus
   ..............................+
   ..+
   e is 65537 (0x10001)
   $ ls
   johndoe.key

3. Create a certificate sign request (CSR) in a file with the extension .csr. You need to provide the private key from the previous step. The -subj option provides the username (CN) and the group (O). The following command uses the username johndoe and the group named user-group. To avoid assigning the user to a group, leave off the /O component of the assignment:

   $ openssl req -new -key johndoe.key -out johndoe.csr -subj \
     "/CN=johndoe/O=user-group"
   $ ls
   johndoe.csr johndoe.key

4. Lastly, sign the CSR with the Kubernetes cluster certificate authority (CA). The CA can usually be found in the directory /etc/kubernetes/pki and needs to contain the files ca.crt and ca.key. We are going to use minikube here, which stores those files in the directory pass:[<code>~/.minikube</code>. The following command signs the CSR and makes it valid for 364 days:

   $ openssl x509 -req -in johndoe.csr -CA /.minikube/ca.crt -CAkey \
     /.minikube/ca.key -CAcreateserial -out johndoe.crt -days 364
   Signature ok
   subject=/CN=johndoe/O=user-group
   Getting CA Private Key
   

5. Create the user in Kubernetes by setting a user entry in kubeconfig for johndoe. Point to the CRT and key file. Set a context entry in kubeconfig for johndoe:

   $ kubectl config set-credentials johndoe \
     --client-certificate=johndoe.crt --client-key=johndoe.key
   User "johndoe" set.
   $ kubectl config set-context johndoe-context --cluster=minikube \
     --user=johndoe
   Context "johndoe-context" modified.

6. To switch to the user, use the context named johndoe-context. You can check the current context using the command config current-context:

   $ kubectl config use-context johndoe-context
   Switched to context "johndoe-context".
   $ kubectl config current-context
   johndoe-context