add user to kops

users/README.md

@@ -0,0 +1,20 @@
+## Retrieve keys from kops
+```
+aws s3 sync s3://kops-state-b429b/kubernetes.newtech.academy/pki/private/ca/ ca-key
+aws s3 sync s3://kops-state-b429b/kubernetes.newtech.academy/pki/issued/ca/ ca-crt
+mv ca-key/*.key ca.key
+mv ca-crt/*.crt ca.crt
+```
+## Create new user
+```
+sudo apt install openssl
+openssl genrsa -out edward.pem 2048
+openssl req -new -key edward.pem -out edward-csr.pem -subj "/CN=edward/O=myteam/"
+openssl x509 -req -in edward-csr.pem -CA ca.crt -CAkey ca.key -CAcreateserial -out edward.crt -days 10000
+```
+
+## add new context
+```
+kubectl config set-credentials edward --client-certificate=edward.crt --client-key=edward.pem
+kubectl config set-context edward --cluster=kubernetes.newtech.academy --user edward
+```

users/admin-user.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: admin-user
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: User
+  name: "edward"
+  apiGroup: rbac.authorization.k8s.io

users/user.yaml

@@ -0,0 +1,26 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: default
+  name: pod-reader
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
+- apiGroups: ["extensions", "apps"]
+  resources: ["deployments"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: read-pods
+  namespace: default
+subjects:
+- kind: User
+  name: edward
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: pod-reader
+  apiGroup: rbac.authorization.k8s.io