Add K8s User

Posted on by

Source: https://kubernetes.io/docs/tasks/tls/certificate-issue-client-csr/

# Create a private key
openssl genrsa -out myuser.key 4096
# Create an X.509 certificate signing request
# Change the common name "myuser" to the actual username that you want to use
openssl req -new -key myuser.key -out myuser.csr -subj "/CN=myuser"
# Create a Kubernetes CertificateSigningRequest
cat myuser.csr | base64 | tr -d "\n"
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: myuser # example
spec:
  # This is an encoded CSR. Change this to the base64-encoded contents of myuser.csr
  request: <myuser.csr in base64>
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 86400  # one day
  usages:
  - client auth
EOF
# Approve the CertificateSigningRequest
kubectl certificate approve myuser
# Get the Certificate
kubectl get csr myuser -o jsonpath='{.status.certificate}'| base64 -d > myuser.crt
# Configure the certificate into kubeconfig
kubectl config set-credentials myuser --client-key=myuser.key --client-certificate=myuser.crt --embed-certs=true
# Create Role and RoleBinding
kubectl create role developer --verb=create --verb=get --verb=list --verb=update --verb=delete --resource=pods --namespace=my-space
kubectl create rolebinding developer-binding-myuser --role=developer --user=myuser
kubectl create clusterrolebinding user-cluster-admin --clusterrole=cluster-admin --user=myuser

https://kubernetes.io/docs/reference/access-authn-authz/rbac

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.