docs/doc/source/security/kubernetes/system-administrator-local-access-using-ssh-linux-shell-and-st-69213db2a936.rst
Suzana Fernandes 9fa54fe44e Create Security Guide Reference
Change-Id: I1cfdc44fb72907e9e34294194084c59e29d8d80a
Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
2024-11-01 18:01:33 +00:00

6.0 KiB

System Administrator - Test Local Access using SSH/Linux Shell and System and Kubernetes CLI

After installing your first system administrator, with full privileges, test access to Linux, and Kubernetes commands and resources.

  • You must have created your first system administrator;
  • You need to perform this procedure using the first system administrator.

  1. Login to active controller as the first system administrator, joefulladmin in these examples.

    Use either local console or .

    Note

    If this is the first time logging in with your Local account, the password configured is your username. You will be forced to update your password.

  2. Test access to linux commands (admin and non-admin).

    # Creating user requires sudo
    
    $ sudo ldapusersetup -u johnsmith
    Successfully added user johnsmith to LDAP
    Successfully set password for user johnsmith
    Warning : password is reset, user will be asked to change password at login
    Successfully modified user entry uid=johnsmith,ou=People,dc=cgcs,dc=local in LDAP
    Updating password expiry to 90 days
    Successfully modified user entry uid=johnsmith,ou=People,dc=cgcs,dc=local in LDAP
    Updating password expiry to 2 days
    
    # Listing IP interfaces does not require admin privileges
    
    $ ip link show
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
       link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
       link/ether 08:00:27:39:06:4e brd ff:ff:ff:ff:ff:ff
    3: enp0s8: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel state DOWN mode DEFAULT group default qlen 1000
       link/ether 08:00:27:38:8b:7c brd ff:ff:ff:ff:ff:ff
    ...
  3. Test access to Kubernetes commands / resources.

    1. Use kubeconfig-setup to setup KUBECONFIG for local environment.

      $ kubeconfig-setup
      $ source ~/.profile
    2. Use oidc-auth to authenticate via /.

      $ oidc-auth
      Using "joefulladmin" as username.
      Password:
      Successful authentication.
      Updated /home/joefulladmin/.kube/config .
    3. Use kubectl to test access to kubernetes commands / resources (admin and non-admin).

      # Displaying anything in 'kube-system' namespace requires 'cluster-admin' privileges
      $ kubectl -n kube-system get secrets
      NAME                        TYPE                    DATA  AGE
      ceph-admin                  Opaque                  2     3d8h
      ceph-pool-kube-cephfs-data  kubernetes.io/cephfs    4     3d8h
      ceph-pool-kube-rbd          kubernetes.io/rbd       2     3d8h
      
      
      # Anyone can display resources in 'default' namespace
      $ kubectl -n default get all
      NAME                TYPE       CLUSTER-IP  EXTERNAL-IP  PORT(S)  AGE
      service/kubernetes  ClusterIP  10.96.0.1   <none>       443/TCP  3d9h
  4. Test access to commands / resources.

    1. Use local_starlingxrc to setup environment variables and to setup your keystone user's authentication credentials.

      $ source local_starlingxrc
      Enter the password to be used with Keystone user joefulladmin:
      Created file /home/joefulladmin/joefulladmin-openrc
    2. Test keystone commands (admin and non-admin).

      # Making changes to the system requires 'admin' role
      $ system modify -l Ottawa
      
      +----------------------+--------------------------------------+
      | Property             | Value                                |
      +----------------------+--------------------------------------+
      | contact              | None                                 |
      | created_at           | 2024-07-12T10:52:40.609006+00:00     |
      | description          | None                                 |
      | https_enabled        | True                                 |
      | latitude             | None                                 |
      | location             | Ottawa                               |
      | longitude            | None                                 |
      ...
      
      # Any member of 'admin' project  can display system parameters
      $ system host-if-list controller-0
      
      +--------------------------------------+--------+----------+----------+---------+------------+----------+-------------+------------+
      | uuid                                 | name   | class    | type     | vlan id | ports      | uses i/f | used by i/f | attributes |
      +--------------------------------------+--------+----------+----------+---------+------------+----------+-------------+------------+
      | 287eca5a-8721-4422-b73a-bf24805eac4c | enp0s3 | platform | ethernet | None    | ['enp0s3'] | []       | []          |  MTU=1500  |
      | 325c32b9-fe40-4900-a0ff-59062190ce80 | lo     | platform | virtual  | None    | []         | []       | []           | MTU=1500  |
      +--------------------------------------+--------+----------+----------+---------+------------+----------+-------------+------------+

Continue to Create other System Administrators <create-other-system-administrators-97b99bb94430>.