Create Users in Kubernetes
Fleeting- External reference: https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
- External reference: https://kubernetes.io/docs/reference/access-authn-authz/authentication/
- External reference: https://devopstales.github.io/kubernetes/k8s-user-accounts/
How to create Users in Kubernetes the right way?
Kubernetes does not have objects which represent normal user accounts. Normal users cannot be added to a cluster through an API call
— https://devopstales.github.io/kubernetes/k8s-user-accounts/
Any user that presents a valid certificate signed by the cluster’s certificate authority (CA) is considered authenticated. So you need to create a certificate for you username.
— https://devopstales.github.io/kubernetes/k8s-user-accounts/
Generate new certificat
— https://devopstales.github.io/kubernetes/k8s-user-accounts/
Kubernetes does not have objects which represent normal user accounts. Normal users cannot be added to a cluster through an API call.
— https://kubernetes.io/docs/reference/access-authn-authz/authentication/
any user that presents a valid certificate signed by the cluster’s certificate authority (CA) is considered authenticated
— https://kubernetes.io/docs/reference/access-authn-authz/authentication/
Kubernetes determines the username from the common name field in the ‘subject’ of the cert (e.g., “/CN=bob”)
— https://kubernetes.io/docs/reference/access-authn-authz/authentication/
RBAC) sub-system would determine whether the user is authorized to perform a specific operation
— https://kubernetes.io/docs/reference/access-authn-authz/authentication/
Kubernetes 1.4, client certificates can also indicate a user’s group memberships using the certificate’s organization fields. To include multiple group memberships for a user, include multiple organization fields in the certificate.
— https://kubernetes.io/docs/reference/access-authn-authz/authentication/
get a normal user to be able to authenticate and invoke an API.
— https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
First, this user must have a certificate issued by the Kubernetes cluster, and then present that certificate to the Kubernetes API.
— https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
important to set CN and O attribute of the CSR. CN is the name of the user and O is the group that this user will belong to. You can refer to RBAC for standard groups.
— https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
request is the base64 encoded value of the CSR file content. You can get the content using this command: cat myuser.csr | base64 | tr -d “\n”
— https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
Retrieve the certificate from the CSR:
— https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
With the certificate created it is time to define the Role and RoleBinding for this user to access Kubernetes cluster resource
— https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
last step is to add this user into the kubeconfig file.
— https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/