K
Q

Create user in Kubernetes for kubectl

7/6/2017

I need to create users to assign them permissions with RBAC, I create them as follows:

echo -n "lucia" | base64
bHVjaWE=
echo -n "pass" | base64
cGFzcw==

apiVersion: v1
kind: Secret
metadata:
  name: lucia-secret
type: Opaque
data:
  username: bHVjaWE=
  password: cGFzcw==

Or create with:

kubectl create secret generic lucia-secret --from-literal=username='lucia',password='pass'

I don't know how to continue

USER_NICK=lucia

kubectl config set-credentials $USER_NICK \
    --username=lucia \
    --password=pass

kubectl get secret lucia-secret -o json | jq -r '.data["ca.crt"]' | base64 -d > ca.crt

endpoint=`kubectl config view -o jsonpath="{.clusters[?(@.name == \"$name\")].cluster.server}"`

kubectl config set-cluster cluster-for-lucia \
  --embed-certs=true \
  --server=$endpoint \
  --certificate-authority=./ca.crt

kubectl config set-context context-lucia \
  --cluster=cluster-for-lucia \
  --user=$USER_NICK \
  --namespace=default

ca.crt is null

Thank you for your help!

-- jbelenus
kubectl
kubernetes

Similar Questions

RBAC - Limit access for one service account
How to add new packages in Kubernetes
How do I configure Kubernetes node labels when creating a cluster with kops?
Sometimes, Can't connect to pods on one of the nodes from master in kubernetes

2 Answers

4/5/2019

As kubernetes docs and Articles uses certificate to create or authenticate users for kubectl client. However there is one easy way to do it by using ServiceAccount. One can use ServiceAccount as a group to provide RBAC control authentication and it is very easy and descriptive. Here are the steps. All the steps i am executing is in default namespace. I am going to create a pod readonly user which can get,list,watch any pod in all namespaces.

  • Create a ServiceAccount, say 'readonlyuser'.

    kubectl create serviceaccount readonlyuser

  • Create cluster role, say 'readonlyuser'.

    kubectl create clusterrole readonlyuser --verb=get --verb=list --verb=watch --resource=pods

  • Create cluster role binding, say 'readonlyuser'.

    kubectl create clusterrolebinding readonlyuser --serviceaccount=default:readonlyuser --clusterrole=readonlyuser

  • Now get the token from secret of ServiceAccount we have created before. we will use this token to authenticate user.

    TOKEN=$(kubectl describe secrets "$(kubectl describe serviceaccount readonlyuser | grep -i Tokens | awk '{print $2}')" | grep token: | awk '{print $2}')

  • Now set the credentials for the user in kube config file. I am using 'vikash' as username.

    kubectl config set-credentials vikash --token=$TOKEN

  • Now Create a Context say podreader. I am using my clustername 'kubernetes' here.

    kubectl config set-context podreader --cluster=kubernetes --user=vikash

  • Finally use the context .

    kubectl config use-context podreader

And that's it. Now one can execute kubectl get pods --all-namespaces. One can also check the access by executing as given:

~ : $ kubectl auth can-i get pods --all-namespaces
yes
~ : $ kubectl auth can-i create pods
no
~ : $ kubectl auth can-i delete pods
no
-- Vikash Singh
Source: StackOverflow
7/6/2017

In this guide you can find how to configure a user for your cluster: https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/#use-case-1-create-user-with-limited-namespace-access

Long story short:

  • Create certificates for the user
  • Create a certificate sign request
  • Sign the certificate with the cluster certificate authority
  • Create a configuration for your user
  • Add RBAC rules for this user or its group

Regarding the ca.crt, you need to find it in your master host.

Edited: In the case of GKE, check here https://cloud.google.com/container-engine/docs/iam-integration

-- Javier Salmeron
Source: StackOverflow