/skb-simple-script

Primary LanguagePython

Simple Python Client and scripts for Role Management

Overview

  • User Migration
    • Migrate users from the old keycloak to the TKS system.
  • User Role Management
    • Manage roles related to the k8s cluster for users in a declarative manner.
  • K8s RBAC Management
    • Add Clusterrole/ClusterRoleBinding to the k8s cluster.
    • Add Role/RoleBinding to a k8s namespace

Usage

Prerequisites:

  • Python3.11
  • Pip3
  • Required python packages in requirements.txt 
    $ pip3 install -r requirements.txt

User Migration

  1. Login to the old Keycloak.
  2. Retrieve the user list from the old Keycloak and save it as a JSON file.
  3. Migrate users to the TKS system.
$ cd src/migration

# Login to the old keycloak and the TKS system.
# Run login.py with Python 3, which results in a token file named "config.json"
$ python3 login.py

# Retrieve the user list from the old Keycloak.
# Run get_user_list.py with Python 3, which produces a user list file named "users.json"
$ python3 list_users.py

# Run user_migration.py with Python 3 to automatically migrate users to the TKS system
$ python3 user_migration.py

User Role Management

  1. Login to the TKS system.
  2. Retrieve the list of users in the TKS system, the roles related to the k8s cluster managed by TKS system, and map them. Save this mapping as a YAML file.
  3. Edit the user role mapping file
  4. Apply user-role mapping file to the TKS system.
$ cd src/role_management

# Login to the TKS system.
# Run login.py with Python 3, which results in a token file named "config.json"
$ python3 login.py

# Retrieve the list of users, the roles related to the k8s cluster and map them. Save this mapping as a YAML file.
$ python3 get_client_roles.py

# Edit the user role mapping file
$ vi client_role_data.yaml

# Apply user-role mapping file to the TKS system.
$ python3 set_client_roles.py

Role mapping file format:

# Example. Initial client_role_data.yaml

clients:
  # K8s cluster name tailing with "-k8s-api"
  # Automatically generated by running get_client_roles.py
  - name: c12345-k8s-api
    roles:
      - name: cluster-admin
        # Add users' accountId to the list of users who have the role
        # In case of no users for this role, set users to an empty list
        users: []
      - name: cluster-view
        users: []
# Do Not edit below this line. This is solely for referencing users in the TKS system.
users:
  - accountId: admin
    name: admin

Editing Role mapping file example:

  1. Add a role to the cluster (for removal, do the opposite)
clients:
  - name: c12345-k8s-api
    roles:
      - name: cluster-admin
        users: []
      - name: cluster-view
        users: []
      - name: new-role
        users: []
users:
  - accountId: admin
    name: admin
  1. Add a user to the role (for removal, do the opposite)
clients:
  - name: c12345-k8s-api
    roles:
      - name: cluster-admin
        users: []
      - name: cluster-view
        users: 
          - admin
      - name: new-role
        users: 
          - admin
users:
  - accountId: admin
    name: admin
  1. In case of k8s cluster addition, run get_client_roles.py again to get the new cluster name and add it to the client list.

K8s RBAC Management

  1. Prepare a kubeconfig file for the k8s cluster.
  2. Edit rbac_example.sh script.
  3. Run rbac_example.sh script with parameters.