Is there a way to prevent kubectl from de-registering kubernetes nodes

0 votes

I was testing some commands and I ran

$ kubectl delete nodes --all

and it deletes de-registers all the nodes including the masters. Now I can't connect to the cluster (Well, Obviously as the master is deleted).

Is there a way to prevent this as anyone could accidentally do this?

Extra Info: I am using KOps for deployment.

P.S. It does not delete the EC2 instances and the nodes come up on doing a EC2 instance reboot on all the instances.

Aug 29, 2018 in AWS by bug_seeker
• 15,520 points

1 answer to this question.

0 votes

By default, you using something like a superuser who can do anything he want with a cluster.

For limit access to a cluster for other users you can use RBAC authorization for. By RBAC rules you can manage access and limits per resource and action.

In few words, for do that you need to:

  1. Create new cluster by Kops with --authorization RBAC or modify existing one by adding 'rbac' option to cluster's configuration to 'authorization' section:

  2. authorization:
     rbac: {}

  3. Now, we can follow that instruction from Bitnami for create a user. For example, let's creating a user which has access only to office namespace and only for a few actions. So, we need to create a namespace firs:

  4. kubectl create namespace office

  5. Create a key and certificates for new user:

  6. openssl genrsa -out employee.key 2048

  7. openssl req -new -key employee.key -out employee.csr -subj "/CN=employee/O=bitnami"

  8. Now, using your CA authority key (It available in the S3 bucket under PKI) we need to approve new certificate:

  9. openssl x509 -req -in employee.csr -CA CA_LOCATION/ca.crt -CAkey CA_LOCATION/ca.key -CAcreateserial -out employee.crt -days 500

  10. Creating credentials:

  11. kubectl config set-credentials employee --client-certificate=/home/employee/.certs/employee.crt  --client-key=/home/employee/.certs/employee.key

  12. Setting a right context:

  13. kubectl config set-context employee-context --cluster=YOUR_CLUSTER_NAME --namespace=office --user=employee

answered Aug 29, 2018 by Priyaj
• 58,090 points

Related Questions In AWS

0 votes
0 answers
0 votes
0 answers

Is there a way to implement event and lambda for all accounts

I have a problem where a third ...READ MORE

Dec 14, 2022 in AWS by Roshan
• 300 points
0 votes
1 answer

Is there any way to use boto3 anonymously?

Yes. Your credentials are used to sign ...READ MORE

answered Jul 18, 2018 in AWS by Cloud gunner
• 4,670 points
+2 votes
1 answer

Deploy Docker Containers from Docker Cloud

To solve this problem, I followed advice ...READ MORE

answered Sep 3, 2018 in AWS by Priyaj
• 58,090 points
+1 vote
1 answer
0 votes
1 answer

Is there a way to move AWS Elasticsearch to another account

Create a role with Elasticsearch permission. Provide the iam:PassRole for ...READ MORE

answered Oct 30, 2018 in AWS by Priyaj
• 58,090 points
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP