Create User

For managing Kubernetes user accounts we are going to use certificates.

Setup an admin ClusterRole (control node)

From a control create the following file and apply to create a cluster role

admin-role.yml

Feel free to replace example-cluster-admin and example:masters with a different name e.g. myorg-cluster-admins or myorg:masters

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: example-cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: example:masters

Apply the manifest above with

kubectl apply -f admin-role.yml

Create a CSR (workstation)

From your workstation (instead of kubernetes host) we will create a cert folder for kubectl and create a CSR & key

mkdir ~/.kube/certs
export MYUSER=myusername
cd ~/.kube/certs
openssl genrsa -out ${MYUSER}.key 4096 # generate certificate key
openssl req -new -key ${MYUSER}.key -out ${MYUSER}.csr -subj "/CN=${MYUSER}/O=example:masters" # generate CSR for our user
cat ${MYUSER}.csr | base64 | tr -d '\n' # get bas64 encoded CSR - keep this available for the next step

! The group at the end of the subject must match the group name set at the end of admin-role.yml

Approve the CSR (control node)

on one of your control nodes create a file with the following contents: update myuser to your username

myuser.yml

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: myuser-csr
spec:
  groups:
  - system:authenticated
  request: **Base64 value from the previous step**
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - digital signature
  - key encipherment
  - client auth

Apply the certificate request manifest above with the following:

kubectl apply -f myuser.yml

Approve the CSR with the following command and output the certificate in base64 for the next step

kubectl certificate approve myuser-csr # replace name with the name from the CSR applied above

echo ====CERT====
kubectl get csr jaydon-csr -o jsonpath='{.status.certificate}' # output the certificate in base64 for the next step

echo ====CA====
cat /etc/kubernetes/pki/ca.crt | base64 # get CA ceryificate for kubectl config

Configure kubectl with your new user (workstation)

Save the certificate to your workstation from the output above

echo _CERT_ | base64 -d > ~/.kube/certs/myuser.crt # user cert from previous step
echo _CA_ | base64 -d > ~/.kube/certs/ca.crt # CA output from the previous step

set the kubectl config with the following commands

kubectl config set-cluster mycluster --server https://_load_balancer_fqdn_:6443 --certificate-authority ~/.kube/certs/ca.crt
kubectl config set-credentials myuser --client-certificate ~/.kube/certs/myuser.crt --client-key ~/.kube/certs/myuser.key
kubectl config set-context myuser@mycluster --cluster mycluster --user myuser --namespace default
kubectl config use-context myuser@mycluster

That’s it you should be able to access your cluster from your workstation under your new user, you can validate this by running

kubectl get pods -n kube-system -o wide
kubectl get nodes