Is there a way to prevent kubectl from de-registering kubernetes nodes

0 votes

I was testing some commands and I ran

$ kubectl delete nodes --all

and it deletes de-registers all the nodes including the masters. Now I can't connect to the cluster (Well, Obviously as the master is deleted).

Is there a way to prevent this as anyone could accidentally do this?

Extra Info: I am using KOps for deployment.

P.S. It does not delete the EC2 instances and the nodes come up on doing a EC2 instance reboot on all the instances.

Aug 29, 2018 in AWS by bug_seeker
• 15,550 points

1 answer to this question.

0 votes

By default, you using something like a superuser who can do anything he want with a cluster.

For limit access to a cluster for other users you can use RBAC authorization for. By RBAC rules you can manage access and limits per resource and action.

In few words, for do that you need to:

  1. Create new cluster by Kops with --authorization RBAC or modify existing one by adding 'rbac' option to cluster's configuration to 'authorization' section:

  2. authorization:
     rbac: {}

  3. Now, we can follow that instruction from Bitnami for create a user. For example, let's creating a user which has access only to office namespace and only for a few actions. So, we need to create a namespace firs:

  4. kubectl create namespace office

  5. Create a key and certificates for new user:

  6. openssl genrsa -out employee.key 2048

  7. openssl req -new -key employee.key -out employee.csr -subj "/CN=employee/O=bitnami"

  8. Now, using your CA authority key (It available in the S3 bucket under PKI) we need to approve new certificate:

  9. openssl x509 -req -in employee.csr -CA CA_LOCATION/ca.crt -CAkey CA_LOCATION/ca.key -CAcreateserial -out employee.crt -days 500

  10. Creating credentials:

  11. kubectl config set-credentials employee --client-certificate=/home/employee/.certs/employee.crt  --client-key=/home/employee/.certs/employee.key

  12. Setting a right context:

  13. kubectl config set-context employee-context --cluster=YOUR_CLUSTER_NAME --namespace=office --user=employee

answered Aug 29, 2018 by Priyaj
• 58,120 points

Related Questions In AWS

0 votes
1 answer

Is there any way to use boto3 anonymously?

Yes. Your credentials are used to sign ...READ MORE

answered Jul 18, 2018 in AWS by Cloud gunner
• 4,650 points
+1 vote
2 answers

Is there a API to get AWS Marketplace Products

AWS Marketplace Entitlement Service API Reference The AWS ...READ MORE

answered Aug 1, 2018 in AWS by findingbugs
• 4,790 points
0 votes
1 answer

Is it possible to access kubernetes guestbook application from browser?

this link helped : see hack solution by ...READ MORE

answered Sep 26, 2018 in AWS by Priyaj
• 58,120 points
+2 votes
1 answer

Deploy Docker Containers from Docker Cloud

To solve this problem, I followed advice ...READ MORE

answered Sep 3, 2018 in AWS by Priyaj
• 58,120 points
+1 vote
1 answer
0 votes
1 answer

Is there a way to move AWS Elasticsearch to another account

Create a role with Elasticsearch permission. Provide the iam:PassRole for ...READ MORE

answered Oct 30, 2018 in AWS by Priyaj
• 58,120 points