{"id":2850,"date":"2025-08-02T08:53:21","date_gmt":"2025-08-02T06:53:21","guid":{"rendered":"https:\/\/stls.eu\/blog\/?p=2850"},"modified":"2025-08-02T08:53:21","modified_gmt":"2025-08-02T06:53:21","slug":"add-k8s-user","status":"publish","type":"post","link":"https:\/\/stls.eu\/blog\/2025\/08\/02\/add-k8s-user\/","title":{"rendered":"Add K8s User"},"content":{"rendered":"\n<p>Source: <a href=\"https:\/\/kubernetes.io\/docs\/tasks\/tls\/certificate-issue-client-csr\/\">https:\/\/kubernetes.io\/docs\/tasks\/tls\/certificate-issue-client-csr\/<\/a><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><em><strong># Create a private key<\/strong><\/em>\nopenssl genrsa -out myuser.key 4096\n# Create an X.509 certificate signing request\n# Change the common name \"myuser\" to the actual username that you want to use\nopenssl req -new -key myuser.key -out myuser.csr -subj \"\/CN=myuser\"\n<strong># Create a Kubernetes CertificateSigningRequest<\/strong>\ncat myuser.csr | base64 | tr -d \"\\n\"\ncat &lt;&lt;EOF | kubectl apply -f -\napiVersion: certificates.k8s.io\/v1\nkind: CertificateSigningRequest\nmetadata:\n  name: myuser # example\nspec:\n  # This is an encoded CSR. Change this to the base64-encoded contents of myuser.csr\n  request: &lt;myuser.csr in base64>\n  signerName: kubernetes.io\/kube-apiserver-client\n  expirationSeconds: 86400  # one day\n  usages:\n  - client auth\nEOF\n<strong># Approve the CertificateSigningRequest<\/strong>\nkubectl certificate approve myuser\n<strong># Get the Certificate<\/strong>\nkubectl get csr myuser -o jsonpath='{.status.certificate}'| base64 -d > myuser.crt\n<strong># Configure the certificate into kubeconfig<\/strong>\nkubectl config set-credentials myuser --client-key=myuser.key --client-certificate=myuser.crt --embed-certs=true\n<strong># Create Role and RoleBinding<\/strong>\nkubectl create role developer --verb=create --verb=get --verb=list --verb=update --verb=delete --resource=pods --namespace=my-space\nkubectl create rolebinding developer-binding-myuser --role=developer --user=myuser\nkubectl create clusterrolebinding user-cluster-admin --clusterrole=cluster-admin --user=myuser<\/code><\/pre>\n\n\n\n<p><a href=\"https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/rbac\">https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/rbac<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Source: https:\/\/kubernetes.io\/docs\/tasks\/tls\/certificate-issue-client-csr\/ https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/rbac<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[121],"tags":[],"class_list":["post-2850","post","type-post","status-publish","format-standard","hentry","category-kubernetes"],"_links":{"self":[{"href":"https:\/\/stls.eu\/blog\/wp-json\/wp\/v2\/posts\/2850","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stls.eu\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stls.eu\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stls.eu\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/stls.eu\/blog\/wp-json\/wp\/v2\/comments?post=2850"}],"version-history":[{"count":3,"href":"https:\/\/stls.eu\/blog\/wp-json\/wp\/v2\/posts\/2850\/revisions"}],"predecessor-version":[{"id":2856,"href":"https:\/\/stls.eu\/blog\/wp-json\/wp\/v2\/posts\/2850\/revisions\/2856"}],"wp:attachment":[{"href":"https:\/\/stls.eu\/blog\/wp-json\/wp\/v2\/media?parent=2850"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stls.eu\/blog\/wp-json\/wp\/v2\/categories?post=2850"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stls.eu\/blog\/wp-json\/wp\/v2\/tags?post=2850"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}