Skip to main content

Multi User Setup (Optional)

In order to run the labs in a multi-user environment (e.g. multiple lab groups leveraging the same cluster), several configurations are needed. This section will guide you through the setup process.

✅ Step 1: Define Environment Variables

Create an .env file with the following content:

user="group-one"                  # The name of the user you want to create/delete with limited access permissions
allowed_namespace="group-one"     # Don't change the value of this variable
file_path="$HOME/.kube"           # Directory path to save the user's kubeconfig file

✅ Step 2: Create the Management Script

Create a file named manage-user.sh:

#!/bin/bash

set -e
source ./env

secret_name="${user}-token"

create_kubeconfig_file() {
while ! kubectl get -n "$allowed_namespace" secret "$secret_name" -o jsonpath='{.data.ca\.crt}' &> /dev/null; do
echo "Waiting for secret to be ready..."
sleep 2
done

ca_crt=$(kubectl get -n "$allowed_namespace" secret "$secret_name" -o jsonpath='{.data.ca\.crt}')
token=$(kubectl get -n "$allowed_namespace" secret "$secret_name" -o jsonpath='{.data.token}' | base64 --decode)

cluster_name=$(kubectl config view --minify -o jsonpath='{.contexts[0].context.cluster}')
server_ip=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' | awk -F[/:] '{print $4}')

cat <<EOF > "${file_path}/${user}"
apiVersion: v1
kind: Config
clusters:
- name: $cluster_name
cluster:
certificate-authority-data: $ca_crt
server: https://$server_ip:6443
contexts:
- name: ${user}@${cluster_name}
context:
cluster: $cluster_name
user: $user
namespace: $allowed_namespace
current-context: ${user}@${cluster_name}
users:
- name: $user
user:
token: $token
EOF

echo "The kubeconfig file named \"${user}\" has been created."
echo "Usage example:"
echo " kubectl --kubeconfig=\"${file_path}/${user}\" get pods -n trirematics"
echo " kubectl --kubeconfig=\"${file_path}/${user}\" apply -f ./simple-sa.yaml"
}

create_serviceaccount() {
cat <<EOF | kubectl apply -f - > /dev/null
apiVersion: v1
kind: ServiceAccount
metadata:
name: $user
namespace: $allowed_namespace
EOF
create_role
create_secret
}

create_role() {
cat <<EOF | kubectl apply -f - > /dev/null
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: $allowed_namespace
name: "${user}-role"
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["apps"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["athena.trirematics.io"]
resources: ["*"]
verbs: ["*"]
EOF
create_rolebinding
}

create_rolebinding() {
cat <<EOF | kubectl apply -f - > /dev/null
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "${user}-rolebinding"
namespace: $allowed_namespace
subjects:
- kind: ServiceAccount
name: $user
namespace: $allowed_namespace
roleRef:
kind: Role
name: "${user}-role"
apiGroup: rbac.authorization.k8s.io
EOF
}

create_secret() {
cat <<EOF | kubectl apply -f - > /dev/null
apiVersion: v1
kind: Secret
metadata:
name: $secret_name
namespace: $allowed_namespace
annotations:
kubernetes.io/service-account.name: $user
type: kubernetes.io/service-account-token
EOF
}

delete_serviceaccount() {
kubectl delete sa $user -n $allowed_namespace > /dev/null
delete_role
}

delete_role() {
kubectl delete roles "${user}-role" -n $allowed_namespace > /dev/null
delete_rolebinding
}

delete_rolebinding() {
kubectl delete rolebindings "${user}-rolebinding" -n $allowed_namespace > /dev/null
}

delete_kubeconfig_file() {
rm --force "${file_path}/${user}"
}

action=$1

case "$action" in
create)
create_serviceaccount
create_kubeconfig_file
;;
delete)
delete_serviceaccount
delete_kubeconfig_file
echo "The user ${user} and its kubeconfig file named \"${user}\" have been deleted."
;;
*)
echo "Usage: $0 [create|delete]"
exit 1
;;
esac

Make it executable:

chmod +x manage-user.sh

Make changes in env file from step 1 if needed.

✅ Step 3: Run the Script

To create the user run the created script:

./manage-user.sh create

manage-user.sh uses env file to create the user which is defined in the env file.

tip

To delete the user:

./manage-user.sh delete

where manage-user.sh will delete the user that is defined in the env file.

✅ Step 4: Share Kubeconfig

You’ll find the generated kubeconfig file at:

~/.kube/group-one

Share this file with the group members or users who need access to the namespace.

Last updated on by risma