K8s: Add user to a cluster - Wed, Aug 3, 2022
K8s: Add user to a cluster
While doing some research for RBAC authentication in Kubernetes, I needed the ability to add users to a cluster. This snippet shows a way of adding users to a cluster using certificates and openssl .
1 openssl genrsa -out john.key 2048 2 openssl req -new -key john.key -out john.csr -subj "/CN=john/O=jeeatwork" 3 4 docker cp kind-control-plane:/etc/kubernetes/pki/ca.crt . 5 docker cp kind-control-plane:/etc/kubernetes/pki/ca.key . 6 7 openssl x509 -req -in john.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out john.crt -days 365 8 9 kubectl config set-credentials john --client-certificate=./john.crt --client-key=./john.key 10 kubectl config set-context john-context --cluster=kind-kind --user=john` 11 12 kubectl --context=john-context get pods
In the first two lines a key and a certificate signing request
are created. Note that the
CN is set to the name of the user and
O to the group he is in.
The CSR needs to be signed using the clusters private key and certificate authority certificate. Since I use kind
for my cluster, i can copy the
CRT files from the control plane docker image to my local file system (lines 4 and 4). The signing is done in line 7.
In lines 9 and 10 I create a local context with the signed certificate. And in line 12 I test this context. Note that this command will yield an error since the user is not yet allowed to do anything.