ETCD backup !ssues

PavanRaga · February 2, 2020, 12:20pm

FYI for authentication and auth of new users -

Create a CSR with openssl -

 openssl req -new -newkey rsa:4096 -nodes -keyout ops-k8s.key -out ops-k8s.csr -subj "/CN=ops/O=devops"

The above cmd is to create a CSR for user ops

Copy the o/p of

 cat ops-k8s.csr | base64 | tr -d '\n' "

Paste in csr.yaml file(it is mentioned where to paste in file)
Create the CSR k8 obj -
```
 kubectl apply -f csr.yaml
```

Approve the CSR -

 kubectl certificate approve ops-k8s-access

now get the certificate that is approved -

 kubectl get csr ops-k8s-access -o jsonpath='{.status.certificate}' | base64 --decode > ops-k8s-access.crt

Now to create the kubeconfig, we need CA cert, ops cert(one we have above) -

 kubectl config view -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' --raw | base64 --decode - > k8s-ca.crt

Running the below will create a kubeconfig template with current CA’s certificate -

 kubectl config set-cluster $(kubectl config view -o jsonpath='{.clusters[0].name}') --server=$(kubectl config view -o jsonpath='{.clusters[0].cluster.server}') --certificate-authority=k8s-ca.crt --kubeconfig=ops-k8s-config --embed-certs

This will add ops cert into the kubeconfig -

 kubectl config set-credentials ops --client-certificate=ops-k8s-access.crt --client-key=ops-k8s.key --embed-certs --kubeconfig=ops-k8s-config

This will add context mapping for the ops user

kubectl config set-context ops --cluster=$(kubectl config view -o jsonpath='{.clusters[0].name}') --namespace=default --user=ops --kubeconfig=ops-k8s-config

kubectl config use-context ops --kubeconfig=ops-k8s-config

#Now pass on the “ops-k8s-config” as kubeconfig file for the ops team!

apply role and rolebinding
kubectl apply -f role.yaml
kubectl apply -f rolebinding.yaml

Role:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: create-pod
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create", "delete"]

RoleBinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: role-grantor-binding
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: create-pod
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: ops

CSR object template

apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: ops-k8s-access
spec:
  groups:
  - system:authenticated
  request: #replace with output from shell command: cat ops-k8s.csr | base64 | tr -d '\n'
  usages:
  - client auth

Topic		Replies	Views
ETCD - backup and restore management General Discussions	20	180848	January 3, 2023
Backup and Restore ETCD Database General Discussions	7	69781	August 20, 2024
Backup etcd using docker General Discussions	0	3287	December 26, 2019
Etcdctl backup - permission denied exception General Discussions	4	13491	April 19, 2022
Backup etcd database via /proc/PID/root General Discussions	8	1459	February 3, 2022

ETCD backup !ssues

Related topics