-
Notifications
You must be signed in to change notification settings - Fork 8
/
0-create_registration_entries.sh
executable file
·34 lines (30 loc) · 1.3 KB
/
0-create_registration_entries.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#/bin/bash
# spire-agent
kubectl exec -n spire spire-server-0 -- \
/opt/spire/bin/spire-server entry create \
-node \
-spiffeID spiffe://example.org/ns/spire/sa/spire-agent \
-selector k8s_sat:cluster:demo-cluster \
-selector k8s_sat:agent_ns:spire \
-selector k8s_sat:agent_sa:spire-agent
# cilium-agent
# This entry is needed to be sure that the cilium agent is able to use the spire
# privileged API. The unix:uid:0 selector is used because cilium-agent runs as a
# process in the host in the dev environment. If cilium-agent is run as a pod
# then the k8s selectors for that pod should be used.
kubectl exec -n spire spire-server-0 -- \
/opt/spire/bin/spire-server entry create \
-spiffeID spiffe://example.org/ciliumagent \
-parentID spiffe://example.org/ns/spire/sa/spire-agent \
-selector unix:uid:0
kubectl exec -n spire spire-server-0 -- \
/opt/spire/bin/spire-server entry create \
-spiffeID spiffe://example.org/client \
-parentID spiffe://example.org/ns/spire/sa/spire-agent \
-selector unix:uid:1002
kubectl exec -n spire spire-server-0 -- \
/opt/spire/bin/spire-server entry create \
-spiffeID spiffe://example.org/server \
-parentID spiffe://example.org/ns/spire/sa/spire-agent \
-selector k8s:sa:demo5 \
-selector k8s:pod-name:server