Managing users in Kubernetes involves several key steps, from creating the user to configuring access via certificates and finally adding them to a kubeconfig
file. In this detailed guide, we'll walk through the process of creating a user, generating a certificate, approving it, and configuring access using a kubeconfig
file.
Overview
Key Concepts:
Kubernetes Users: Unlike traditional Linux users, Kubernetes users are entities with access rights to the cluster. Kubernetes does not store user accounts but relies on external systems or certificate-based authentication.
Certificates: Users are authenticated using X.509 certificates, which prove their identity to the Kubernetes API server.
RBAC (Role-Based Access Control): RBAC is used to manage permissions for users within the cluster.
Steps Covered:
Generate a private key and certificate signing request (CSR) for the user.
Approve the CSR to generate a user certificate.
Create a Kubernetes role and role binding for the user.
Add the user to the
kubeconfig
file.Test access using the new user credentials.
Step 1: Generate a Private Key and Certificate Signing Request (CSR)
The first step is to create a private key and a CSR for the user. The private key is used to authenticate the user, while the CSR is sent to the Kubernetes API server to request a certificate.
-
Generate the Private Key:
openssl genrsa -out user1.key 2048
This command generates a 2048-bit RSA private key for the user.
-
Generate the CSR:
openssl req -new -key user1.key -out user1.csr -subj "/CN=user1/O=dev-team"
This command generates a CSR using the private key. The
-subj
parameter specifies the subject of the certificate:
* CN (Common Name): The name of the user (user1
).
-
O (Organization): The group to which the user belongs (
dev-team
).
Step 2: Submit and Approve the CSR in Kubernetes
Now that you have the CSR, submit it to Kubernetes to generate a certificate.
-
Create a CSR Object in Kubernetes:
cat <<EOF | kubectl apply -f - apiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: name: user1-csr spec: request: $(cat user1.csr | base64 | tr -d '\n') signerName: kubernetes.io/kube-apiserver-client usages: - client auth EOF
This YAML file creates a CSR object in Kubernetes. The
request
field contains the base64-encoded CSR. -
Approve the CSR:
kubectl certificate approve user1-csr
This command approves the CSR, allowing Kubernetes to issue the certificate.
-
Retrieve the Certificate:
Once approved, you can retrieve the certificate using the following command:
kubectl get csr user1-csr -o jsonpath='{.status.certificate}' | base64 --decode > user1.crt
This command extracts the issued certificate and saves it as
user1.crt
.
Step 3: Create a Role and Role Binding for the User
The next step is to define the permissions the user will have in the Kubernetes cluster. This is done using Kubernetes RBAC (Role-Based Access Control).
-
Create a Role:
cat <<EOF | kubectl apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: dev-role rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"] EOF
This YAML file creates a role named
dev-role
in thedefault
namespace, granting the user read-only access to pods. -
Create a Role Binding:
cat <<EOF | kubectl apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: dev-role-binding namespace: default subjects: - kind: User name: user1 apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: dev-role apiGroup: rbac.authorization.k8s.io EOF
This YAML file binds the
dev-role
to theuser1
in thedefault
namespace.
Step 4: Add the User to the Kubeconfig File
To allow the user to interact with the Kubernetes cluster using kubectl
, you must add their credentials to the kubeconfig
file.
-
Add the User Configuration:
kubectl config set-credentials user1 --client-certificate=user1.crt --client-key=user1.key
This command adds the
user1
credentials to thekubeconfig
file, pointing to the certificate and key files generated earlier. -
Add the Cluster Information:
kubectl config set-cluster my-cluster --server=https://<api-server-url> --certificate-authority=/path/to/ca.crt
Replace
<api-server-url>
with your Kubernetes API server’s URL. This command adds the cluster information to thekubeconfig
file. -
Create a Context for the User:
kubectl config set-context user1-context --cluster=my-cluster --namespace=default --user=user1
This command creates a context that links the
user1
credentials with themy-cluster
cluster and thedefault
namespace. -
Use the Context:
kubectl config use-context user1-context
This command switches the current context to
user1-context
, meaning allkubectl
commands will be executed usinguser1
's credentials.
Step 5: Test the User’s Access
Finally, test the user’s access to ensure everything is configured correctly.
-
Test Access to Pods:
kubectl get pods
If everything is set up correctly, this command should list the pods in the
default
namespace, as per the permissions defined in thedev-role
. -
Test Unauthorized Actions:
Try to perform an action that
user1
does not have permission to execute, such as deleting a pod:
kubectl delete pod <pod-name>
This should fail with a permission error, confirming that the RBAC is working as expected.
Conclusion
This guide walked through the entire process of creating a Kubernetes user, generating and approving a certificate, configuring access via a kubeconfig
file, and testing the user’s permissions. By following these steps, you can securely manage user access to your Kubernetes cluster, ensuring that each user has the appropriate level of access based on their role within the organization.
Top comments (0)