demo.asc

#!/bin/bash
## kube-request-access demo

: kubectl get accessrequests.spreadgroup.com -o name | xargs kubectl delete &> /dev/null || true

# kubectl exec is usually not allowed:
kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf

# let's request access!
kubectl request --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf

# pretend we're an admin and grant it
kubectl request --context admin grant "$(kubectl get accessrequests.spreadgroup.com -o name | cut -d/ -f2 | tail -n1)"

# note execOptions and userInfo above

kubectl --context admin get accessrequests.spreadgroup.com
kubectl --context admin get accessgrants.spreadgroup.com

: sleep 2 && clear

# now it works!
kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf

# only once by default
kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf

# let's request access for a while
kubectl request --context dev exec --valid-for=10m nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf

kubectl request --context admin grant "$(kubectl get accessrequests.spreadgroup.com -o name | cut -d/ -f2 | tail -n1)"

# note the validFor field

# now we can run it multiple times
kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf
kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf

# but of course only this command
kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/passwd

: sleep 2 && clear

# admins can revoke access
kubectl --context admin get accessrequests.spreadgroup.com
kubectl --context admin delete accessrequests.spreadgroup.com "$(kubectl get accessrequests.spreadgroup.com -o name | cut -d/ -f2 | tail -n1)"

kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf

# and that's kube-request-access!

: sleep 2