starlingx/docs
Code Issues Proposed changes
47040fa69b
docs/doc/source/security/kubernetes/end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671.rst
Suzana Fernandes 4b0d6f789e Fix index Security guide 
[EAG] - Fix toctrees in wrong place
[RS]  - escape sample URLs

Change-Id: I3972bac7a0637bedfdca70a523851439d3b7ce42
Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
2024-11-29 18:18:33 +00:00

3.5 KiB
Raw Blame History

End Users - Test Local Access using SSH or Kubernetes CLI

After creating end users, test their access to the the Kubernetes commands / resources and linux access.

  • You should already have created at least one end user.
  • You need to perform this procedure using an end user.

  1. Login to the active controller as an end user, steveenduser in this example.

    Use either a local console or .

  2. Test access to linux commands (admin and non-admin) using the following commands:

    # Creating user requires sudo

$ sudo ldapusersetup -u johnsmith
steveenduser is not allowed to run sudo on controller-0.  This incident will be reported.

# Listing IP interfaces does not require admin privileges

$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 08:00:27:39:06:4e brd ff:ff:ff:ff:ff:ff
3: enp0s8: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel state DOWN mode DEFAULT group default qlen 1000
link/ether 08:00:27:38:8b:7c brd ff:ff:ff:ff:ff:ff
...

  3. Test access to kubernetes commands / resources using the following steps:

    1. Use kubeconfig-setup to setup KUBECONFIG for local environment.

      $ kubeconfig-setup
$ source ~/.profile

    2. Use oidc-auth to authenticate through /.

      $ oidc-auth
Using "steveenduser" as username.
Password:
Successful authentication.
Updated /home/johnsmith/.kube/config .

    3. Use kubectl to test access to kubernetes commands / resources (admin and non-admin).

      # Displaying anything in 'kube-system' namespace requires 'cluster-admin' privileges

$ kubectl -n kube-system get secrets
Error from server (Forbidden): secrets is forbidden: User "steveenduser" cannot list resource "secrets" in API group "" in the namespace "kube-system"

# Should be able to display resources in his own namespace, 'ABC-ns'

$ kubectl -n abc-ns get all
NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
service/kubernetes   ClusterIP   10.96.0.1    <none>        443/TCP   3d9h

  4. Test access to commands / resources.

    $ source local_starlingxrc
Enter the password to be used with Keystone user steveenduser:
Created file /home/johnsmith/steveenduser-openrc

$ system host-list
Must provide Keystone credentials or user-defined endpoint and token, error was: The request you have made requires authentication. (HTTP 401) (Request-ID: req-0feb292f-d649-4d9f-8e60-f63643265207)

Setup remote access for any end users requiring remote access. See remote-access-2209661be417.