Kuberenetes User Creation

 

In this post we will see how to create a user in kuberenetes.

There are 3 building blocks needed for user creation in kubernetes:

1) Private Key.

2) CSR (Certificate Signing Request).

3) Certificate.

Lets start by creating all 3 first using openssl command.

root@masterk8s:/docker# openssl genrsa -out sam.key 2048

Generating RSA private key, 2048 bit long modulus (2 primes)

................+++++

..........................+++++

e is 65537 (0x010001)

root@masterk8s:/docker#

Create a CSR with the private key generated and add the user to the group "developer". We will be creating a namespace called "developer" too.

root@masterk8s:/docker# openssl req -new -key sam.key -out sam.csr -subj "/CN=sam/O=developer"

Next, We need to sign the CSR with the K8s default CA CRT and KEY file located under /etc/kubernetes/pki

root@masterk8s:/docker# openssl x509 -req -in sam.csr \

> -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key \

> -CAcreateserial -out sam.crt -days 365

Signature ok

subject=CN = sam, O = developer

Getting CA Private Key

root@masterk8s:/docker#

We are done with creating the user. Now, We need to generate kubeconfig for the user "sam".

Imagine "kubeconfig" as an enviromental file required to connect to the kubernetes cluster.

Default kubeconfig file is under "/root/.kube/config"

I am going to use the existing details like cluster name, API endpoint and CA from "/root/.kube/config"

root@masterk8s:/docker# kubectl --kubeconfig sam.kubeconfig config set-cluster kubernetes \

> --server https://192.168.163.128:6443 \

> --certificate-authority=/etc/kubernetes/pki/ca.crt

Cluster "kubernetes" set.

root@masterk8s:/docker#

Above command generates a default kubeconfig file.

root@masterk8s:/docker# cat sam.kubeconfig

apiVersion: v1

clusters:

- cluster:

    certificate-authority: /etc/kubernetes/pki/ca.crt

    server: https://192.168.163.128:6443

  name: kubernetes

contexts: null

current-context: ""

kind: Config

preferences: {}

users: null

root@masterk8s:/docker#

Now, We need to add "sam" to the kubeconfig file.

root@masterk8s:/docker# kubectl --kubeconfig sam.kubeconfig config set-context sam-kubernetes \

> --cluster kubernetes --namespace developer --user sam

Context "sam-kubernetes" created.

root@masterk8s:/docker#

root@masterk8s:/docker# cat sam.kubeconfig

apiVersion: v1

clusters:

- cluster:

    certificate-authority: /etc/kubernetes/pki/ca.crt

    server: https://192.168.163.128:6443

  name: kubernetes

contexts:

- context:

    cluster: kubernetes

    namespace: developer

    user: sam

  name: sam-kubernetes

current-context: ""

kind: Config

preferences: {}

users: null

root@masterk8s:/docker#

Now, We need to set credentials for the user "sam". Here, Credentials are the sam's crt and key file.

root@masterk8s:/docker# kubectl --kubeconfig sam.kubeconfig config set-credentials sam \

> --client-certificate sam.crt --client-key sam.key

User "sam" set.

root@masterk8s:/docker#

root@masterk8s:/docker# cat sam.kubeconfig

apiVersion: v1

clusters:

- cluster:

    certificate-authority: /etc/kubernetes/pki/ca.crt

    server: https://192.168.163.128:6443

  name: kubernetes

contexts:

- context:

    cluster: kubernetes

    namespace: developer

    user: sam

  name: sam-kubernetes

current-context: ""

kind: Config

preferences: {}

users:

- name: sam

  user:

    client-certificate: sam.crt

    client-key: sam.key

root@masterk8s:/docker#

We are done. Lets list the pods under namespace "developer".

root@masterk8s:/docker# kubectl --kubeconfig sam.kubeconfig get pods -n developer

The connection to the server localhost:8080 was refused - did you specify the right host or port?

root@masterk8s:/docker#

Above error is due to missing current context in sam.kubeconfig. Update current-context: "" to current-context:"sam-kubernetes"

root@masterk8s:/docker# cat sam.kubeconfig

apiVersion: v1

clusters:

- cluster:

    certificate-authority: /etc/kubernetes/pki/ca.crt

    server: https://192.168.163.128:6443

  name: kubernetes

contexts:

- context:

    cluster: kubernetes

    namespace: developer

    user: sam

  name: sam-kubernetes

current-context: "sam-kubernetes"

kind: Config

preferences: {}

users:

- name: sam

  user:

    client-certificate: sam.crt

    client-key: sam.key

root@masterk8s:/docker#

root@masterk8s:/docker# kubectl --kubeconfig sam.kubeconfig get pods -n developer

Error from server (Forbidden): pods is forbidden: User "sam" cannot list resource "pods" in API group "" in the namespace "developer"

root@masterk8s:/docker# 

We are successfully authenticated. Above error is due to the access to the resource "pods" and this can be fixed using role and role-binding.

Will discuss that in the next post...