Managing users in Kubernetes involves several key steps, from creating the user to configuring access via certificates and finally adding them to a kubeconfig file. In this detailed guide, we'll walk through the process of creating a user, generating a certificate, approving it, and configuring access using a kubeconfig file.
Overview
Key Concepts:
Kubernetes Users: Unlike traditional Linux users, Kubernetes users are entities with access rights to the cluster. Kubernetes does not store user accounts but relies on external systems or certificate-based authentication.
Certificates: Users are authenticated using X.509 certificates, which prove their identity to the Kubernetes API server.
RBAC (Role-Based Access Control): RBAC is used to manage permissions for users within the cluster.
Steps Covered:
Generate a private key and certificate signing request (CSR) for the user.
Approve the CSR to generate a user certificate.
Create a Kubernetes role and role binding for the user.
Add the user to the
kubeconfigfile.Test access using the new user credentials.
Step 1: Generate a Private Key and Certificate Signing Request (CSR)
The first step is to create a private key and a CSR for the user. The private key is used to authenticate the user, while the CSR is sent to the Kubernetes API server to request a certificate.
-
Generate the Private Key:
openssl genrsa -out user1.key 2048This command generates a 2048-bit RSA private key for the user.
-
Generate the CSR:
openssl req -new -key user1.key -out user1.csr -subj "/CN=user1/O=dev-team"This command generates a CSR using the private key. The
-subjparameter specifies the subject of the certificate:
* CN (Common Name): The name of the user (user1).
-
O (Organization): The group to which the user belongs (
dev-team).
Step 2: Submit and Approve the CSR in Kubernetes
Now that you have the CSR, submit it to Kubernetes to generate a certificate.
-
Create a CSR Object in Kubernetes:
cat <<EOF | kubectl apply -f - apiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: name: user1-csr spec: request: $(cat user1.csr | base64 | tr -d '\n') signerName: kubernetes.io/kube-apiserver-client usages: - client auth EOFThis YAML file creates a CSR object in Kubernetes. The
requestfield contains the base64-encoded CSR. -
Approve the CSR:
kubectl certificate approve user1-csrThis command approves the CSR, allowing Kubernetes to issue the certificate.
-
Retrieve the Certificate:
Once approved, you can retrieve the certificate using the following command:
kubectl get csr user1-csr -o jsonpath='{.status.certificate}' | base64 --decode > user1.crtThis command extracts the issued certificate and saves it as
user1.crt.
Step 3: Create a Role and Role Binding for the User
The next step is to define the permissions the user will have in the Kubernetes cluster. This is done using Kubernetes RBAC (Role-Based Access Control).
-
Create a Role:
cat <<EOF | kubectl apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: dev-role rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"] EOFThis YAML file creates a role named
dev-rolein thedefaultnamespace, granting the user read-only access to pods. -
Create a Role Binding:
cat <<EOF | kubectl apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: dev-role-binding namespace: default subjects: - kind: User name: user1 apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: dev-role apiGroup: rbac.authorization.k8s.io EOFThis YAML file binds the
dev-roleto theuser1in thedefaultnamespace.
Step 4: Add the User to the Kubeconfig File
To allow the user to interact with the Kubernetes cluster using kubectl, you must add their credentials to the kubeconfig file.
-
Add the User Configuration:
kubectl config set-credentials user1 --client-certificate=user1.crt --client-key=user1.keyThis command adds the
user1credentials to thekubeconfigfile, pointing to the certificate and key files generated earlier. -
Add the Cluster Information:
kubectl config set-cluster my-cluster --server=https://<api-server-url> --certificate-authority=/path/to/ca.crtReplace
<api-server-url>with your Kubernetes API server’s URL. This command adds the cluster information to thekubeconfigfile. -
Create a Context for the User:
kubectl config set-context user1-context --cluster=my-cluster --namespace=default --user=user1This command creates a context that links the
user1credentials with themy-clustercluster and thedefaultnamespace. -
Use the Context:
kubectl config use-context user1-contextThis command switches the current context to
user1-context, meaning allkubectlcommands will be executed usinguser1's credentials.
Step 5: Test the User’s Access
Finally, test the user’s access to ensure everything is configured correctly.
-
Test Access to Pods:
kubectl get podsIf everything is set up correctly, this command should list the pods in the
defaultnamespace, as per the permissions defined in thedev-role. -
Test Unauthorized Actions:
Try to perform an action that
user1does not have permission to execute, such as deleting a pod:
kubectl delete pod <pod-name>This should fail with a permission error, confirming that the RBAC is working as expected.
Conclusion
This guide walked through the entire process of creating a Kubernetes user, generating and approving a certificate, configuring access via a kubeconfig file, and testing the user’s permissions. By following these steps, you can securely manage user access to your Kubernetes cluster, ensuring that each user has the appropriate level of access based on their role within the organization.
Top comments (0)