-
Notifications
You must be signed in to change notification settings - Fork 8
/
0-create_registration_entries.sh
executable file
·40 lines (34 loc) · 1.54 KB
/
0-create_registration_entries.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#/bin/bash
# spire-agent
kubectl exec -n spire spire-server-0 -- \
/opt/spire/bin/spire-server entry create \
-node \
-spiffeID spiffe://example.org/ns/spire/sa/spire-agent \
-selector k8s_sat:cluster:demo-cluster \
-selector k8s_sat:agent_ns:spire \
-selector k8s_sat:agent_sa:spire-agent
# cilium-agent
# This entry is needed to be sure that the cilium agent is able to use the spire
# privileged API. The unix:uid:0 selector is used because cilium-agent runs as a
# process in the host in the dev environment. If cilium-agent is run as a pod
# then the k8s selectors for that pod should be used.
kubectl exec -n spire spire-server-0 -- \
/opt/spire/bin/spire-server entry create \
-spiffeID spiffe://example.org/ciliumagent \
-parentID spiffe://example.org/ns/spire/sa/spire-agent \
-selector unix:uid:0
kubectl exec -n spire spire-server-0 -- \
/opt/spire/bin/spire-server entry create \
-spiffeID spiffe://example.org/xwing \
-parentID spiffe://example.org/ns/spire/sa/spire-agent \
-selector k8s:pod-label:class:xwing
kubectl exec -n spire spire-server-0 -- \
/opt/spire/bin/spire-server entry create \
-spiffeID spiffe://example.org/deathstar \
-parentID spiffe://example.org/ns/spire/sa/spire-agent \
-selector k8s:pod-label:class:deathstar
kubectl exec -n spire spire-server-0 -- \
/opt/spire/bin/spire-server entry create \
-spiffeID spiffe://example.org/deathstar2 \
-parentID spiffe://example.org/ns/spire/sa/spire-agent \
-selector k8s:pod-label:class:deathstar2