Introduction
In Kubernetes, issuing a certificate for a user is essential for authenticating and invoking APIs securely. This guide provides a comprehensive step-by-step process to generate and manage user certificates, ensuring proper access control within your Kubernetes cluster.
Create a Private Key
This command generate the anish.key
and anish.csr
file.
openssl genrsa -out anish.key 2048
openssl req -new -key anish.key -out anish.csr -subj "/CN=anish"
Create a CertificateSigningRequest
Create a CertificateSigningRequest and submit it to a Kubernetes Cluster via kubectl
. Below is a script to generate the CertificateSigningRequest.
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: anish
spec:
request: <base64-encoded-value>
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 86400
usages:
- client auth
request
is the base64 encoded value of the CSR file content. You can get the content using this command:
cat anish.csr | base64 | tr -d "\n"
Put the output of this command in the request
key.
Approve the CertificateSigningRequest
Use kubectl
to create a CSR and approve it.
Get the list of CSRs:
kubectl get csr
Approve the CSR:
kubectl certificate approve anish
Get the Certificate
Retrieve the certificate from the CSR:
kubectl get csr/anish -o yaml
The certificate value is in Base64-encoded format under status.certificate
. Export the issued certificate from the CertificateSigningRequest.
kubectl get csr anish -o jsonpath='{.status.certificate}'| base64 -d > anish.crt
Create Role and RoleBinding
With the certificate created, it is time to define the Role and RoleBinding for this user to access Kubernetes cluster resources.
Role
Create a Role for this new user:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: developer
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create", "get", "list", "update", "delete"]
RoleBinding
Create a RoleBinding for this new user:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: developer-binding-anish
namespace: default
subjects:
- kind: User
name: anish
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: developer
apiGroup: rbac.authorization.k8s.io
Add to kubeconfig
The last step is to add this user into the kubeconfig file.
First, add new credentials:
kubectl config set-credentials anish --client-key=anish.key --client-certificate=anish.crt --embed-certs=true
Then, add the context:
kubectl config set-context anish --cluster=kubernetes --user=anish
To test it, change the context to anish
:
kubectl config use-context anish
Test what sort of task that you can perform in the cluster as a new user.
You can only perform create, get, list , update and delete operation on pod.
When you try to run
kubectl get deploy
then you will get error.Error from server (Forbidden): deployments.apps is forbidden: User "anish" cannot list resource "deployments" in API group "apps" in the namespace "default"
Because you don't have enough permission to perform other operation in the cluster.
This is how new user joining the cluster are managed and maintained in Production.
Conclusion
Issuing a certificate for a user in Kubernetes involves generating a private key, creating and approving a CertificateSigningRequest, and configuring roles and bindings to manage access. By following these steps, you ensure that users can securely authenticate and interact with the Kubernetes API. Properly managing user certificates is crucial for maintaining a secure and well-administered Kubernetes environment.