This guide outlines the process of creating a user in Kubernetes with detailed steps. The user creation process involves generating certificates, creating a Certificate Signing Request (CSR), signing the certificate using the cluster Certificate Authority (CA), configuring a kubeconfig file, and adding Role-Based Access Control (RBAC) rules for the user or their group.
- Kubernetes cluster access with administrative privileges.
- OpenSSL installed on your local machine or the system where you'll generate certificates.
kubectl
command-line tool configured to communicate with your Kubernetes cluster.
Use OpenSSL to generate a certificate/key pair for the user. Run the following commands to generate the certificates:
openssl genrsa -out USER-NAME.key 2048
openssl req -new -key USER-NAME.key -out USER-NAME.csr -subj "/CN=USER-NAME"
Replace USER-NAME
with the desired username for the Kubernetes user.
Create a Certificate Signing Request (CSR) using the generated key. This CSR will be used to request a certificate signed by the Kubernetes cluster's Certificate Authority (CA).
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: USER-NAME-csr
spec:
request: $(cat USER-NAME.csr | base64 | tr -d '\n')
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
EOF
Approve the Certificate Signing Request (CSR) and sign the certificate using the Kubernetes cluster's Certificate Authority (CA).
kubectl certificate approve USER-NAME-csr
Retrieve the signed certificate:
kubectl get csr USER-NAME-csr -o jsonpath='{.status.certificate}' | base64 -d > USER-NAME.crt
Create a kubeconfig file specific to the user. This file will contain the user's certificate, key, and other configuration details.
kubectl config set-credentials USER-NAME --client-certificate=USER-NAME.crt --client-key=USER-NAME.key
kubectl config set-context USER-NAME-context --cluster=<cluster-name> --user=USER-NAME
kubectl config use-context USER-NAME-context
Replace <cluster-name>
with the name of your Kubernetes cluster.
Define Role-Based Access Control (RBAC) rules for the user or their group to determine what actions they can perform within the Kubernetes cluster.
kubectl create role <role-name> --verb=<verbs> --resource=<resources> --namespace=<namespace>
kubectl create rolebinding <rolebinding-name> --role=<role-name> --user=USER-NAME --namespace=<namespace>
Replace <role-name>
, <verbs>
, <resources>
, and <namespace>
with appropriate values.