# Generate private key
openssl genrsa -out myuser.pem 2048
# Generate the certificate signing request
openssl req -new -key myuser.pem -out myuser.csr -subj "/CN=myuser"
The signing request has to be signed by Kubenretes CA. We use the API, but since we have to submit the data in base64 encoded we have a previous step:
cat myuser.csr | base64 | tr -d '\n'
then wecreate the following file adding the previous text to the request key:
# mysigning-request.yaml
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: user-request-myuser
spec:
groups:
- system:authenticated
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF4TUdiWGwxYzJWeU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQW44U1dMUVV6a1h6U1RlTUZZVjFlV1k4REtEem5UNHhUYTJlaGplVTkrZDVKCjQ3WFJ3aEIxRi9NZU51R0NsbTZjc1l1Wkx4NmR4dS82RjF6VzMyNWh4SnFxNnYzZmtWZUgyaWhvelloVW8vMFcKRmtsYXhZVXZTb3F5MmdCSzh1ZXhDbVp1THc1Q1hlakNPTTFQdXhncjlIL01ZS21kQ3lsUm9LL1FtYy8xdmEvVgp0QnFkLzczR1FXd3ZTOTl2OTQzL3pqcDRISTRPWUJQbU44Vk9ZWjVVTlI4Ulc4elI2bUJzQXlTbW9rYlAzcHZvCnAvQnlLM0doSnJsSWZ6c3BUZUNWcHRBbk1oeUZudVN4R0NXcVRLb1NjblRsQ25SSVo5V2IzZHU4eFFvaFRwbWcKNVYxSGV0aFVJN0h5UFJuRTUxSWkxUTZXUmhEYkRsZDlTREQ3MEh1TlJ3SURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVGQlFBRGdnRUJBRzZaQlZnSDFwUUdzdmdmSFF5b2t6cmtDV0l6U01HRnQ1eVhRbGR5bENwYnRaSC9XZmZxCmZ2c3lkejNpcTdva0luNklPVlZyUWFRN1FvYXU3Nkd6V3pJNzRXUWdCOCtHOXd6K0R0SG41TktDS1V0bm4rTUUKYWhnUzJ3aFcvMWRtMUtVMW1jdFQ0alZDRnk1cDRHMU1YVmtCUk9CR2xYNzdueHdjODFmVUpoMjdJbVR5Y0I3RgpjTmp5eFAyc0RQQlFMdERXODIrd2R3SmZ6TERvTHJKSDA0ZDZUQ0tYVjhmbUtXV3RjVE9LVWsvR011QTBTT2NmCi9vdGlSV3VhTXl4dENaR2hlYU9pbFYzbERETVNmNVJnNU1adUJyUUwreEQxbVBXSldTVzZ0Vmg2UUhmcXlIUnUKUTNLRGczWjNEN0NaOEpYVk1JVVBSL3NOS0lJNmhiQmlFQVk9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
usages:
- digital signature
- key encipherment
- client auth
by calling the api via kubectl
kubectl apply -f mysigning-request.yaml
We have to approve the request also
kubectl certificate approve user-request-myuser
Finally we can download the new signed public key from the csr
resource
kubectl get csr user-request-myuser -o jsonpath='{.status.certificate}' | base64 -d > myuser.crt
Once we have all the certificates, we can create the kubeconfig
entry:
kubectl --kubeconfig ~/.kube/config-myuser config set-cluster sandbox --insecure-skip-tls-verify=true --server=https://api.belfast.k8s.sandbox.nutmeg.co.uk
kubectl --kubeconfig ~/.kube/config-myuser config set-credentials myuser --client-certificate=myuser.crt --client-key=myuser.pem --embed-certs=true
kubectl --kubeconfig ~/.kube/config-myuser config set-context sandbox --cluster=sandbox --user=myuser
kubectl --kubeconfig ~/.kube/config-myuser config use-context sandbox
Once we have this, we can connect to the cluster, however, we still need to configure RBAC
and define what this user can do.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: myuser-view-all
subjects:
- kind: User
name: myuser
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
And
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: myuser-edit-default
namespace: default # This only grants permissions within the "default" namespace.
subjects:
- kind: User
name: myuser
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io
Once we have the files, we create the resources in the cluster. Remember, at ths point, myuser
doesnt have permissions, so, you will need to use an user with the right access to create these resources:
kubectl apply -f clusterrolebinding.yaml
kubectl apply -f rolebinding.yaml
Now we can use the new user to query the cluster. This user has read-only access to the cluster an edit access into the default
namespace.
kubectl --kubeconfig ~/.kube/config-myuser get pods -n kube-system
But if the user tries, for example, query the nodes, he will receive an error:
-> % kubectl --kubeconfig ~/.kube/config-myuser get nodes
Error from server (Forbidden): nodes is forbidden: User "myuser" cannot list nodes at the cluster scope