Create Users in Kubernetesfleeting
- External reference: https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
- External reference: https://kubernetes.io/docs/reference/access-authn-authz/authentication/
- External reference: https://devopstales.github.io/kubernetes/k8s-user-accounts/
How to create Users in Kubernetes the right way?
Kubernetes does not have objects which represent normal user accounts. Normal users cannot be added to a cluster through an API call
Any user that presents a valid certificate signed by the cluster’s certificate authority (CA) is considered authenticated. So you need to create a certificate for you username.
Generate new certificat
Kubernetes does not have objects which represent normal user accounts. Normal users cannot be added to a cluster through an API call.
any user that presents a valid certificate signed by the cluster’s certificate authority (CA) is considered authenticated
Kubernetes determines the username from the common name field in the ‘subject’ of the cert (e.g., “/CN=bob”)
RBAC) sub-system would determine whether the user is authorized to perform a specific operation
Kubernetes 1.4, client certificates can also indicate a user’s group memberships using the certificate’s organization fields. To include multiple group memberships for a user, include multiple organization fields in the certificate.
get a normal user to be able to authenticate and invoke an API.
First, this user must have a certificate issued by the Kubernetes cluster, and then present that certificate to the Kubernetes API.
important to set CN and O attribute of the CSR. CN is the name of the user and O is the group that this user will belong to. You can refer to RBAC for standard groups.
request is the base64 encoded value of the CSR file content. You can get the content using this command: cat myuser.csr | base64 | tr -d “\n”
Retrieve the certificate from the CSR:
With the certificate created it is time to define the Role and RoleBinding for this user to access Kubernetes cluster resource
last step is to add this user into the kubeconfig file.