What is wrong in the steps followed ? @unnivkn @Tej_Singh_Rana Please help here . . .

Kubernetes-Slack Discussions
#1

MSK:
What is wrong in the steps followed ? @unnivkn @Tej_Singh_Rana Please help here as everytime it is in showing Incomplete while validating results

root@controlplane:~# 
root@controlplane:~# cat /root/CKA/john.csr | base64 | tr -d "\n"
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZEQ0NBVHdDQVFBd0R6RU5NQXNHQTFVRUF3d0VhbTlvYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRApnZ0VQQURDQ0FRb0NnZ0VCQU5JU05wYnB3OWduZERTejdMeFQ1VGFwZWJGaEtPQjRhYXkwU3E5bmRRQzdEeVRyCmtmbGZNeFdpU0YvbndDNDFBZ0UrTHViWHh1ak50b29oT2lsY1dFdXIvcTg4Uk5sYTdDKzVVRFFmSUlqNW9XVUgKWmQrd3ZmaFJ4UGNrRzY3dEswQVRRNzRkOExOdzhCcXRlMFZGVmZuOTQ4RnBZckhNSlRFbkY5UmhBOUx2MnFKVQpuS0Z0RmpROWhhRWxDTmNyS09pSm1yMjJFU3pUMGo2OEtEWEcrVGZZbDQ1UWpEL3VLQkI3c2MxWU1DempSeSt2CmpmeGRBU3lndlg0M2VRaEtuZDR3M29LS2NEMVN1TzZNVkNWY3VEVWgwQ2h4SXhpVE9CRjdIbUdNRnZYY05YdW0KK0RLY0lhUnJQN1dqbThuN2toV0ZCRlFzOGxHWUhlVTVHRGNiVVZrQ0F3RUFBYUFBTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQm9XVmlEbm01M3VVZm1yc25GNmhxQ2ZvQUUrcForcmZNbDE3MmMveHVnbW5ZQjM4VzhPdWc2CmFLQVFKdFp3Y1UxU3oxdS9MSFo1VlM5blpJTW0rVmIreFhLS1YzSk5XZ2Z3N05RdUs1UzdRNlBaQmJGWTFzaFMKSHFFYlJkOEVxVkpjRGlLdkZPMUxuUFdpUHhWRHVjRzc1TTVWQ3FjU0RWZVBtRFBqUHlQYWhzVUZCVnFzcm5DUgpYZlExc01vWmd6RnpITU0wdEkwU3EydzRuUURIajgxb2JyUzJmVXJ4ekRBNXBLV0FsMEdRbkYwU3BqUUZEaGQ3ClRVa2srYVhuTzZuVHVjTUkxcXJGbnpQbzRIbmNlYXppSHprcitqWTBTZE9uRWsyVkpFTjJubGltY21OMTRLME8Kb1Z1MWovVmRWM1lBaUxxNUYrZy9kR0hscG5EQW1MSUkKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==root@controlplane:~# 
root@controlplane:~# 
root@controlplane:~# vi 06-john-csr.yaml
root@controlplane:~# 
root@controlplane:~# 
root@controlplane:~# vi 06-john-csr.yaml
root@controlplane:~# 
root@controlplane:~# k apply -f 06-john-csr.yaml 
<http://certificatesigningrequest.certificates.k8s.io/john|certificatesigningrequest.certificates.k8s.io/john> created
root@controlplane:~# 
root@controlplane:~# 
root@controlplane:~# k get csr
NAME        AGE   SIGNERNAME                                    REQUESTOR                 CONDITION
csr-djqwr   33m   <http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet>   system:bootstrap:dlkd6b   Approved,Issued
john        6s    <http://kubernetes.io/kube-apiserver-client|kubernetes.io/kube-apiserver-client>           kubernetes-admin          Pending
root@controlplane:~# 
root@controlplane:~# 
root@controlplane:~# 
root@controlplane:~# kubectl certificate approve john
<http://certificatesigningrequest.certificates.k8s.io/john|certificatesigningrequest.certificates.k8s.io/john> approved
root@controlplane:~# 
root@controlplane:~# 
root@controlplane:~# k get csr
NAME        AGE   SIGNERNAME                                    REQUESTOR                 CONDITION
csr-djqwr   34m   <http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet>   system:bootstrap:dlkd6b   Approved,Issued
john        50s   <http://kubernetes.io/kube-apiserver-client|kubernetes.io/kube-apiserver-client>           kubernetes-admin          Approved,Issued
root@controlplane:~# 
root@controlplane:~# 
root@controlplane:~# 
root@controlplane:~# 
root@controlplane:~# k create role dev-role --resource=pods --verb=create,list,get,update,delete -n development
<http://role.rbac.authorization.k8s.io/dev-role|role.rbac.authorization.k8s.io/dev-role> created
root@controlplane:~# 
root@controlplane:~# 
root@controlplane:~# k describe role -n development dev-role
Name:         dev-role
Labels:       &lt;none&gt;
Annotations:  &lt;none&gt;
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  pods       []                 []              [create list get update delete]
root@controlplane:~# 
root@controlplane:~# 
root@controlplane:~# 
root@controlplane:~# k create rolebinding dev-role-john --user=john --role=dev-role -n development
<http://rolebinding.rbac.authorization.k8s.io/dev-role-john|rolebinding.rbac.authorization.k8s.io/dev-role-john> created
root@controlplane:~# 
root@controlplane:~# 
root@controlplane:~# k describe rolebinding dev-role-john -n development
Name:         dev-role-john
Labels:       &lt;none&gt;
Annotations:  &lt;none&gt;
Role:
  Kind:  Role
  Name:  dev-role
Subjects:
  Kind  Name  Namespace
  ----  ----  ---------
  User  john  
root@controlplane:~# 
root@controlplane:~# 
root@controlplane:~# 
root@controlplane:~# k auth can-i delete po -n development --as john
yes
root@controlplane:~# 
root@controlplane:~# 
root@controlplane:~#
#2

Tanuja SM:

root@controlplane:~# k apply -f 06-john-csr.yaml 
<http://certificatesigningrequest.certificates.k8s.io/john|certificatesigningrequest.certificates.k8s.io/john> created

the CSR name is wrong… it is given in question to use the below specifications

• CSR: john-developer Status:Approved
• Role Name: developer, namespace: development, Resource: Pods
• Access: User ‘john’ has appropriate permissions

#3

Tanuja SM:

image.png
image.png815×175 6.83 KB

#4

Tanuja SM:
root@controlplane:~/CKA# vi john.yaml
root@controlplane:~/CKA# kubectl apply -f john.yaml
http://certificatesigningrequest.certificates.k8s.io/john-developer|certificatesigningrequest.certificates.k8s.io/john-developer created

root@controlplane:~/CKA# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
csr-jc2fq 10m http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet system:node:controlplane Approved,Issued
csr-m6pbj 9m23s http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet system:bootstrap:fr0fzz Approved,Issued
john-developer 6s http://kubernetes.io/kube-apiserver-client|kubernetes.io/kube-apiserver-client kubernetes-admin Pending

root@controlplane:~/CKA# kubectl certificate approve john-developer
http://certificatesigningrequest.certificates.k8s.io/john-developer|certificatesigningrequest.certificates.k8s.io/john-developer approved

root@controlplane:~/CKA# kubectl create role developer -n development --verb=create,list,get,update,delete --resource=pods
http://role.rbac.authorization.k8s.io/developer|role.rbac.authorization.k8s.io/developer created

root@controlplane:~/CKA# kubectl create rolebinding developer-binding --role=developer -n development --user=john
http://rolebinding.rbac.authorization.k8s.io/developer-binding|rolebinding.rbac.authorization.k8s.io/developer-binding created

root@controlplane:~/CKA# kubectl auth can-i -n development delete pods --as john
yes

#5

MSK:
@Tanuja SM Thanks for the reply, but where does this user john come from. The CSR has the name: john-developer and in the role-binding we are binding the created role to user john.
I’m confused with the 2 names : CSR named john-developer and the user used in rolebinding : john

So, there is no such user named john at OS level…
But looking at the csr file created already john.csr it has Common Name: john.

So, does K8, binds the role with this CN name from csr file in rolebinding step.

root@controlplane:~# openssl req -text -noout -verify -in /root/CKA/john.csr
verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = john
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
#6

unnivkn:
I believe controlplane may be a container, not the actual docker host. probably the john user may be there in docker host, which we don’t have access to it. :thinking_face: