Creating a new user in the Kubernetes cluster

Introduction: Kubernetes, often regarded as the powerhouse of container orchestration, thrives on its vast ecosystem of objects and components. However, in this complex Kubernetes universe, one crucial aspect often overlooked is the robust authorization and access control system. This system is the key to knowing who wields control over your Kubernetes cluster.

When deploying Kubernetes clusters on cloud platforms, it’s common to have a single configuration that grants almost unrestricted access to the cluster. This means that anyone can execute operations within the cluster without proper controls in place. Fortunately, Kubernetes offers a sophisticated access control system that provides a solution to this issue. In this article, we’ll delve into the intricacies of Kubernetes authorization and access control.

First of all, creating a user in cloud-managed clusters is a bit different compared to self-managed clusters.

Understanding the Kubeconfig File:

The kubeconfig file is utilized by the kubectl command-line tool to gather essential information for cluster selection and API server communication. By default, kubectl searches for a file named “config” in the $HOME/.kube directory. However, it’s worth noting that you can specify alternative kubeconfig files either through the KUBECONFIG environment variable or by using the –kubeconfig flag.

Here are the three key elements of a kubeconfig file that you need to be aware of:

  1. Cluster Information: The kubeconfig file contains details about the Kubernetes cluster, such as the cluster’s name, server address, and certificate authority data. This information is vital for establishing a connection with the cluster.
  2. User Configuration: User-specific configurations are defined in the kubeconfig file, including user credentials, authentication methods, and associated tokens or certificates. These configurations determine who can access the cluster.
  3. Context Configuration: Contexts define the combination of a cluster and a user. They specify which cluster a user can access and the credentials they should use. Contexts are essential for managing user access to different clusters seamlessly.

Before we dive into the Kubernetes access control system, it’s essential to grasp the significance of the kubeconfig file. While many are familiar with its role in connecting to Kubernetes clusters, there’s more to this film than meets the eye. It plays a pivotal role in granting access to users.

Say you have user name dev-user which has access to the development cluster the context creates a connection between the dev-user and the cluster like [email protected] earlier

Here will draft the steps to create a user in a self-managed cluster

  1. Create a Private Key for the User
    • In this step, you will generate a private key for the new user that you want to create.
  2. Generate a Certificate Signing Request (CSR) for the User
    • This step involves creating a Certificate Signing Request (CSR) for the user using their private key.
  3. Review and Approve the User’s CSR
    • In this final step, you will review and approve the Certificate Signing Request (CSR) submitted by the user.
  4. Retrive the certificate of the user
    • You need to the decode the certificate of the user from the CSR
  5. Create a Kubeconfig File for the User
    • After obtaining the user certificate, you will create a kubeconfig file for the user to access the cluster.
  6. Grant Role and Role bindings Permissions to the User
    • With the kubeconfig file in place, you will configure Role-Based Access Control (RBAC) to grant the user the necessary permissions to interact with the cluster.

If you are creating a user for a cloud-managed cluster your cloud provider will have the CA no need to create the self-signed CA for your cluster.

Here I am using Minikube cluster Minikube has its own self signed CA created on the provision of the cluster initially.

Create a Private Key for the User

mkdir ~/certs

This command creates a new directory named “certs” in your home directory (). The tilde () represents your home directory, so this command creates a “certs” directory directly inside your home directory.

openssl genrsa -out ~/certs/minikube-user.key 4096

This command generates a new RSA private key using OpenSSL with a key length of 4096 bits.

You will a similar output as shown below if you complete the above step.

Generate a Certificate Signing Request (CSR) for the User

vi ~/certs/minikube-user.csr.cnf

[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[ dn ]
CN = minikube-user
O = developers
[ v3_ext ]

create a text file that contains configuration settings for generating the CSR. It specifies various details, including the Common Name (CN) and other attributes that will be included in the certificate.

openssl req -config ~/certs/minikube-user.csr.cnf -new -key ~/certs/minikube-user.key -nodes -out ~/certs/minikube-user.csr

This command generates the CSR using the OpenSSL req command.

-config ~/certs/minikube-user.csr.cnf: Specifies the configuration file to use for generating the CSR.
-new: Indicates that a new CSR is being created.
-key ~/certs/minikube-user.key: Specifies the private key file to associate with the CSR.
-nodes: This option generates the CSR without encrypting the private key with a passphrase, resulting in an unencrypted key.
-out ~/certs/minikube-user.csr: Specifies the output file for the generated CSR, which will be saved in the “~/certs” directory with the filename “minikube-user.csr.”

Create a Kubernetes object.

cat <<EOF | kubectl apply -f -                                                                                             
kind: CertificateSigningRequest
  name: minikube-authentication
  - system:authenticated
  request: $(cat ~/certs/minikube-user.csr | base64 | tr -d '\n')
  - digital signature
  - key encipherment
  - client auth

This YAML creates a CertificateSigningRequest (CSR) named “minikube-user-authentication” for an authenticated user. The CSR includes a base64-encoded user certificate signing request and specifies its intended usage.

If you have completed the above step you will get a similar response like this as shown above

You can check the details of the CSR using the command.

kubectl get csr

Review and Approve the User’s CSR

Review and approve the CSR of the user using the below command.

kubectl certificate approve minikube-authentication approved

If approved you will get a similar response as above after that check the status of the CSR again it will be in an approved, issued state.

Retrieve the certificate of the user

kubectl get csr minikube-authentication -o jsonpath='{.status.certificate}’ | base64 –decode > ~/certs/minikube-user.crt

The certificate will be in a base64 encoded format order to decode it use the above command this will save the certificate of the user in minikube-user.crt file

After the certificate is created copy the certificate and key to your local system inorder to connect

Create a Kubeconfig File for the User

By default, the the ca.crt of minikube is stored in /root/.minikube/ca.crt so you can just either copy the exact file to your system or decode the ca.crt with base64 and add it directly in the template

I have copied ca. crt ,minikube-user. crt and minikube-user.key to my local system.
And created the kubeconfig file for the user minikube-user.

apiVersion: v1
- cluster:
    certificate-authority: /myfolder/ca.crt
    - extension:
        last-update: Sun, 01 Oct 2023 12:23:21 UTC
        version: v1.31.2
      name: cluster_info
    server: https://<ipaddress>:8443
  name: minikube
- context:
    cluster: minikube
    user: minikube-user
  name: minikube-user
current-context: minikube-user
kind: Config
preferences: {}
- name: minikube
   client-certificate: /myfolder/minikube-user.crt
   client-key: /myfolder/minikube-user.key


Replace the IP address with minikube apiserver IP address

If you need to access the minikube cluster from a different network you need to expose the minikube API server

Once you have created this yaml file you can run the below command to check the working.

kubectl –kubeconfig=kubecnf.yaml cluster-info

You will get a forbidden error as shown in the above screenshot which means the user has no access to the cluster

Create a Role and Rolebinding to the User

Next, we need to create a role and a role binding for that user to access the cluster.

To create a Role and RoleBinding in Kubernetes using YAML templates for a user named minikube-user to perform all actions in the default namespace, you can follow these steps:

Create a Role YAML file (e.g., minikube-user-role.yaml) with the following content

kind: Role
  namespace: default
  name: minikube-user-role
- apiGroups: [""]
  resources: ["pods", "services", "configmaps", "secrets", "deployments", "replicasets"]
  verbs: ["get", "list", "watch", "create", "update", "delete"]

This Role allows the user to perform all actions (get, list, watch, create, update, delete) on resources like Pods, Services, ConfigMaps, Secrets, Deployments, and ReplicaSets within the default namespace.

This RoleBinding associates the minikube-user with the minikube-user-role within the default namespace.

kind: RoleBinding
  name: minikube-edit-role
  namespace: default
- kind: User
  name: minikube-user
  kind: Role
  name: minikube-user-role

After creating the role and rolebinding now if you run the same command again from your local system you will get the response as yes.

kubectl –kubeconfig=kubecnf.yaml auth can-i get pods

Now you can use this config file to access the cluster from outside.

That’s it you have created a new user called Minikube-user and granted permissions.

Leave a Reply

Your email address will not be published. Required fields are marked *