9fa54fe44e
Change-Id: I1cfdc44fb72907e9e34294194084c59e29d8d80a Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
95 lines
3.5 KiB
ReStructuredText
95 lines
3.5 KiB
ReStructuredText
.. WARNING: Add no lines of text between the label immediately following
|
|
.. and the title.
|
|
|
|
.. _end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671:
|
|
|
|
=========================================================
|
|
End Users - Test Local Access using SSH or Kubernetes CLI
|
|
=========================================================
|
|
|
|
After creating end users, test their access to the the Kubernetes commands / resources
|
|
and linux access.
|
|
|
|
.. rubric:: |prereq|
|
|
|
|
- You should already have created at least one end user.
|
|
|
|
- You need to perform this procedure using an end user.
|
|
|
|
.. rubric:: |proc|
|
|
|
|
#. Login to the active controller as an end user, ``steveenduser`` in this
|
|
example.
|
|
|
|
Use either a local console or |SSH|.
|
|
|
|
#. Test access to linux commands (admin and non-admin) using the following commands:
|
|
|
|
.. code-block::
|
|
|
|
# Creating user requires sudo
|
|
|
|
$ sudo ldapusersetup -u johnsmith
|
|
steveenduser is not allowed to run sudo on controller-0. This incident will be reported.
|
|
|
|
# Listing IP interfaces does not require admin privileges
|
|
|
|
$ ip link show
|
|
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
|
|
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
|
|
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
|
|
link/ether 08:00:27:39:06:4e brd ff:ff:ff:ff:ff:ff
|
|
3: enp0s8: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel state DOWN mode DEFAULT group default qlen 1000
|
|
link/ether 08:00:27:38:8b:7c brd ff:ff:ff:ff:ff:ff
|
|
...
|
|
|
|
#. Test access to kubernetes commands / resources using the following steps:
|
|
|
|
#. Use ``kubeconfig-setup`` to setup ``KUBECONFIG`` for local environment.
|
|
|
|
.. code-block::
|
|
|
|
$ kubeconfig-setup
|
|
$ source ~/.profile
|
|
|
|
#. Use ``oidc-auth`` to authenticate through |OIDC|/|LDAP|.
|
|
|
|
.. code-block::
|
|
|
|
$ oidc-auth
|
|
Using "steveenduser" as username.
|
|
Password:
|
|
Successful authentication.
|
|
Updated /home/johnsmith/.kube/config .
|
|
|
|
#. Use ``kubectl`` to test access to kubernetes commands / resources
|
|
(admin and non-admin).
|
|
|
|
.. code-block::
|
|
|
|
# Displaying anything in 'kube-system' namespace requires 'cluster-admin' privileges
|
|
|
|
$ kubectl -n kube-system get secrets
|
|
Error from server (Forbidden): secrets is forbidden: User "steveenduser" cannot list resource "secrets" in API group "" in the namespace "kube-system"
|
|
|
|
# Should be able to display resources in his own namespace, 'ABC-ns'
|
|
|
|
$ kubectl -n abc-ns get all
|
|
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
|
|
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 3d9h
|
|
|
|
#. Test access to |prod| commands / resources.
|
|
|
|
.. code-block::
|
|
|
|
$ source local_starlingxrc
|
|
Enter the password to be used with Keystone user steveenduser:
|
|
Created file /home/johnsmith/steveenduser-openrc
|
|
|
|
$ system host-list
|
|
Must provide Keystone credentials or user-defined endpoint and token, error was: The request you have made requires authentication. (HTTP 401) (Request-ID: req-0feb292f-d649-4d9f-8e60-f63643265207)
|
|
|
|
.. rubric:: |postreq|
|
|
|
|
Setup remote access for any end users requiring remote access. See :ref:`index-remote-access-2209661be417`.
|