As we have enabled the kube-apiserver to be executed in safe mode (https), we have to modify the configuration files generated in previous steps so that they can communicate with the cluster through the https api endpoint. You have to:
- Modify the
.kube-default-sample-psp-confand.kube-default-kube-system-conffiles replacingserver: http://:8080toserver: https://kubernetes:8443.
Now you should have the following outputs:
$ grep 8443 .kube-*
.kube-default-kube-system-conf: server: https://kubernetes:8443
.kube-default-sample-psp-conf: server: https://kubernetes:8443We have activated RBAC, we have generated two different configuration files. One of them (.kube-default-kube-system-conf), with cluster-admin permissions. The other one (.kube-default-sample-psp-conf), with permissions limited to a namespace.
To test that RBAC is working correctly, we can execute the following commands:
$ KUBECONFIG=$(pwd)/.kube-default-kube-system kubectl get nodes
NAME STATUS ROLES AGE VERSION
pc1282 Ready <none> 24h v1.13.2
$ KUBECONFIG=$(pwd)/.kube-default-sample-psp-conf kubectl get nodes
Error from server (Forbidden): nodes is forbidden: User "system:serviceaccount:sample-psp:default" cannot list resource "nodes" in API group "" at the cluster scope