Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to create a user in a Kubernetes cluster?

Tags:

kubernetes

I'm trying to create a user in a Kubernetes cluster.

I spinned up 2 droplets on DigitalOcean using a Terraform script of mine.

Then I logged in the master node droplet using ssh:

doctl compute ssh droplet1

Following this, I created a new cluster and a namespace in it:

kubectl create namespace thalasoft

I created a user role in the role-deployment-manager.yml file:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: thalasoft
  name: deployment-manager
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

and executed the command:

kubectl create -f role-deployment-manager.yml

I created a role grant in the rolebinding-deployment-manager.yml file:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: deployment-manager-binding
  namespace: thalasoft
subjects:
- kind: User
  name: stephane
  apiGroup: ""
roleRef:
  kind: Role
  name: deployment-manager
  apiGroup: ""

and executed the command: kubectl create -f rolebinding-deployment-manager.yml

Here is my terminal output:

Last login: Wed Dec 19 10:48:48 2018 from 90.191.151.182
root@droplet1:~# kubectl create namespace thalasoft
namespace/thalasoft created
root@droplet1:~# vi role-deployment-manager.yml
root@droplet1:~# kubectl create -f role-deployment-manager.yml
role.rbac.authorization.k8s.io/deployment-manager created
root@droplet1:~# vi rolebinding-deployment-manager.yml
root@droplet1:~# kubectl create -f rolebinding-deployment-manager.yml
rolebinding.rbac.authorization.k8s.io/deployment-manager-binding created
root@droplet1:~# 

Now I'd like to first create a user in the cluster, and then configure the client kubectl with this user so as to operate from my laptop and avoid logging via ssh̀ to the droplet.

I know I can configure a user in the kubectl client:

# Create a context, that is, a user against a namespace of a cluster, in the client configuration
kubectl config set-context digital-ocean-context --cluster=digital-ocean-cluster --namespace=digital-ocean-namespace --user=stephane

# Configure the client with a user credentials
cd;
kubectl config set-credentials stephane --client-certificate=.ssh/id_rsa.pub --client-key=.ssh/id_rsa

But this is only some client side configuration as I understand.

UPDATE: I could add a user credentials with a certificate signed by the Kubernetes CA, running the following commands on the droplet hosting the Kubernetes master node:

# Create a private key
openssl genrsa -out .ssh/thalasoft.key 4096
# Create a certificate signing request
openssl req -new -key .ssh/thalasoft.key -out .ssh/thalasoft.csr -subj "/CN=stephane/O=thalasoft"
# Sign the certificate
export CA_LOCATION=/etc/kubernetes/pki/
openssl x509 -req -in .ssh/thalasoft.csr -CA $CA_LOCATION/ca.crt -CAkey $CA_LOCATION/ca.key -CAcreateserial -out .ssh/thalasoft.crt -days 1024

# Configure a cluster in the client
kubectl config set-cluster digital-ocean-cluster --server=https://${MASTER_IP}:6443 --insecure-skip-tls-verify=true

# Configure a user in the client
# Copy the key and the certificate to the client
scp -o "StrictHostKeyChecking no" [email protected]:.ssh/thalasoft.* .
# Configure the client with a user credentials
kubectl config set-credentials stephane --client-certificate=.ssh/thalasoft.crt  --client-key=.ssh/thalasoft.key
# Create a context, that is, a user against a namespace of a cluster, in the client configuration
kubectl config set-context digital-ocean-context --cluster=digital-ocean-cluster --namespace=digital-ocean-namespace --user=stephane
like image 220
Stephane Avatar asked Dec 19 '18 11:12

Stephane


People also ask

Can we create users in Kubernetes?

After deploying numerous clusters using Kops and Kubeadm/ Kubespray, we have found the easiest way to create users for Kubernetes clusters without installing and managing 3rd party software. As you can see, the Organization (Group) is set to system:masters and the Common Name (User) is set to kubecfg.

How do I create a user and group in Kubernetes?

Creating Kubernetes Users and Groups You need access to the folllwing files on kubernetes master. Once signed, . csr files with added signatures become the certificates that could be used to authenticate. copy over the CA certs and keys to your management node and use it to sign.

What is user in Kubernetes?

Users in Kubernetes All Kubernetes clusters have two categories of users: service accounts managed by Kubernetes, and normal users. It is assumed that a cluster-independent service manages normal users in the following ways: an administrator distributing private keys. a user store like Keystone or Google Accounts.

How do I manage users in Kubernetes?

Kubernetes doesn't manage users. Normal users are assumed to be managed by an outside, independent service like LDAP or Active Directory. In a standard installation of Kubernetes (i.e., using kubeadm), authentication is done via standard transport level security (TLS) certificates.


1 Answers

But this is only some client side configuration as I understand.

What command I should use to create the user ?

Kubernetes doesn't provide user management. This is handled through x509 certificates that can be signed by your cluster CA.

First, you'll need to create a Key:

openssl genrsa -out my-user.key 4096

Second, you'll need to create a signing request:

openssl req -new -key my-user.key -out my-user.csr -subj "/CN=my-user/O=my-organisation"

Third, sign the certificate request:

openssl x509 -req -in my-user.csr -CA CA_LOCATION/ca.crt -CAkey CA_LOCATION/ca.key -CAcreateserial -out my-user.crt -days 500

ca.crt and ca.key is the same cert/key provided by kubeadm or within your master configuration.

You can then give this signed certificate to your user, along with their key, and then can configure access with:

kubectl config set-credentials my-user --client-certificate=my-user.crt  --client-key=my-user.key
kubectl config set-context my-k8s-cluster --cluster=cluster-name --namespace=whatever --user=my-user

Bitnami provide a great resource that explains all of this:

https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/#use-case-1-create-user-with-limited-namespace-access

like image 117
Rawkode Avatar answered Nov 15 '22 07:11

Rawkode