Skip to content

Configuring User Access to Your Kubernetes Cluster: A Step-by-Step Guide

In this guide, I'll walk you through the essential steps for configuring user access to your Kubernetes cluster. Whether you're managing a single-node cluster or a multi-cluster environment, ensuring secure and fine-grained access for your team members is crucial. We'll cover everything from creating user accounts and generating client certificates to setting RBAC (Role-Based Access Control) policies and implementing authentication mechanisms. By the end of this tutorial, you'll be able to grant and manage user access, enhancing the security and productivity of your Kubernetes deployments.

csr #k8s #openssl #user #kubernetes #rbac

Watch the video

username="${1:-my-user}"
group="${2:-edit}"
expirationSeconds="${3:-86400}"
mkdir ${username}
cd ${username}

Generate a key

openssl genrsa -out ${username}.key 2048

For git-for-windows

export MSYS_NO_PATHCONV=1

Create the CSR

openssl req -new -key ${username}.key -out ${username}.csr -subj "/CN=${username}/O=${group}"

Verify the CSR

openssl req -in ${username}.csr -noout -text

Create the CertificateSigningRequest

cat <<EOF >${username}.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: ${username}
spec:
  request: $(cat ${username}.csr | base64 | tr -d '\n')
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: $expirationSeconds
  usages:
  - client auth
EOF

Check all files are available

image

Approve the CSR

Connect to your cluster

if kubectl config current-context &>/dev/null; then
    current_context=$(kubectl config current-context)
    echo "Connected to Kubernetes cluster using kubeconfig: $kubeconfig_path"
    echo "Current context: $current_context"
else
    echo "Not connected to a Kubernetes cluster using kubeconfig: $kubeconfig_path"
    exit 1
fi

if [ ! -e ${username}.yaml ]; then
    echo "CertificateSigningRequest for ${username}.yaml file does not exist."
fi

Apply and approve the CSR

kubectl apply -f ${username}.yaml
kubectl certificate approve ${username}
kubectl get csr ${username}  -o jsonpath='{.status.certificate}'| base64 -d > ${username}.crt

Set up the User kubeconfig

currentContext=$(kubectl config get-contexts | grep "*" | awk '{print $2}')
currentCluster=$(kubectl config get-contexts | grep "*" | awk '{print $3}')

kubectl config set-credentials ${username} --client-key=${username}.key --client-certificate=${username}.crt --embed-certs=true
kubectl config set-context     ${username} --user=${username} --cluster=${currentCluster}
kubectl config use-context     ${username}
kubectl config view --raw --minify --flatten > ${username}-kubeconfig

kubectl config use-context     ${currentContext}

Setup the RBAC for the user

read -p "Choose cluster role [admin, edit, view] " role

echo "This will add ${username} as a ${role} for all namespaces."
read -p "Proceed? [y/N] " confirm

if [[ "${confirm}" != "y" ]]; then
  echo "Aborting"
  exit 0
fi

kubectl create clusterrolebinding ${username}-${role} --user=${username} --clusterrole=${role}
echo list pod -- $(kubectl auth can-i list pod --as ${username})
echo create pod -- $(kubectl auth can-i create pod --as ${username})
echo delete pod -- $(kubectl auth can-i delete pod --as ${username})

Share the details kubeconfig file

ls -lrt

image

ref: