How to Create a Kubernetes User and Set Up Contexts: A Step-by-Step Guide

Managing users and their access in Kubernetes can seem complex, but it's essential for security and proper resource management. In this article, I'll walk you through how to create a user in Kubernetes, set up the necessary roles, and configure contexts for ease of use. The steps are broken down with detailed explanations of each command, making it easy to follow along.

Step 1: Generating a Private Key for the User

To begin, we need to create a private key for the user himanshu. This key will be used in the creation of the user's certificate.

#openssl genrsa -out himanshu.key 2048

Command Explanation:

• 'genrsa': Generates an RSA private key.
• '-out himanshu.key': Specifies the file name for the private key.
• '2048': Key size in bits, where 2048 is considered secure for most use cases.

Step 2: Creating a Certificate Signing Request (CSR)

Next, we generate a CSR using the private key. The CSR will request a certificate for the user, specifying details like their name and group.

#openssl req -new -key himanshu.key -out himanshu.csr -subj "/CN=himanshu/0=group1"

Command Explanation:

• 'req -new': Creates a new certificate signing request.
• '-key himanshu.key': Uses the private key we generated in the previous step.
• '-out himanshu.csr': Specifies the output file for the CSR.
• '-subj "/CN=himanshu/0=group1"': Sets the subject for the CSR, where CN is the Common Name (user's name), and O is the group.

Step 3: Encoding the CSR

To submit the CSR to the Kubernetes API, we need to encode it in base64.

#cat himanshu.csr | base64 | tr -d '\n'

Command Explanation:

• 'base64': Encodes the CSR in base64.
• 'tr -d '\n'': Removes any newline characters from the output, ensuring it's suitable for the YAML configuration.

Step 4: Creating the CSR in Kubernetes

Now, we'll create a Kubernetes CertificateSigningRequest resource using a YAML configuration file.

#vi csr.yaml

########################################

apiVersion: certificates.k8s.io/v1

kind: CertificateSigningRequest

metadata:

name: himanshu

spec:

#enter the base64 format of your cert in request:

request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1dEQ0NBVUFDQVFBd0V6RVJNQThHQTFVRUF3d0lhR2x0WVc1emFIVXdnZ0VpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQkR3QXdnZ0VLQW9JQkFR

signerName: kubernetes.io/kube-apiserver-client

usages:

- client auth

########################################

YAML Explanation:

• 'apiVersion': certificates.k8s.io/v1: Specifies the version of the certificates API.
• 'kind': CertificateSigningRequest: Declares that this resource is a CSR.
• 'metadata': Contains resource metadata, such as the name.
• 'request': The base64-encoded CSR string.
• 'signerName': The signer is the Kubernetes API server.
• 'usages': Describes the usage of the certificate. Here, it's used for client authentication.

Apply the CSR to the Kubernetes cluster:

#kubectl apply -f csr.yaml

Step 5: Approving the CSR and Getting the Certificate

Once the CSR is created, it needs to be approved by an administrator. After approval, you can retrieve the signed certificate.

#kubectl get csr himanshu -o jsonpath='{.status.certificate}' | base64 --decode > himanshu.crt

Command Explanation:

• 'kubectl get csr': Retrieves the CSR named himanshu.
• '-o jsonpath='{.status.certificate}'': Extracts the certificate from the CSR's status.
• 'base64 --decode': Decodes the certificate from base64 and saves it to himanshu.crt.

Step 6: Creating a Role and RoleBinding

To provide the user himanshu with permissions, we need to define a Role and a RoleBinding. The Role specifies what actions the user can perform, and the RoleBinding links the user to the Role.

#vi role.yaml

###################################################

kind: Role

apiVersion: rbac.authorization.k8s.io/v1

metadata:

namespace: default

name: pod-reader

rules:

- apiGroups: [""]

resources: ["pods"]

verbs: ["get", "watch", "list"]

---

kind: RoleBinding

apiVersion: rbac.authorization.k8s.io/v1

metadata:

name: read-pods

namespace: default

subjects:

- kind: User

name: himanshu

apiGroup: rbac.authorization.k8s.io

roleRef:

kind: Role

name: pod-reader

apiGroup: rbac.authorization.k8s.io

###################################################

YAML Explanation:

• 'Role': Defines the permissions for himanshu to read pods.
• 'RoleBinding': Associates the user himanshu with the pod-reader role.

Apply the Role and RoleBinding:

#kubectl apply -f role.yaml

Step 7: Configuring Context for the User

Now that the user has a certificate and a role, it's time to set up a Kubernetes context for easy access.

#kubectl config set-credentials himanshu --client-certificate=himanshu.crt --client-key=himanshu.key

Command Explanation:

• set-credentials: Adds the user's credentials (certificate and private key) to the Kubernetes configuration.

List the current contexts:

#kubectl config get-contexts

Create a new context for the user:

#kubectl config set-context himanshu-context --cluster=kubernetes --namespace=default --user=himanshu

Command Explanation:

• 'set-context': Creates a new context named himanshu-context.
• '--cluster': Specifies the cluster to use.
• '--namespace': Sets the default namespace for the context.
• '--user': Assigns the himanshu user to the context.

Use the new context:

#kubectl config use-context himanshu-context

Verify the contexts:

#kubectl config get-contexts

#kubectl config view

Step 8: Deploying an Application with the New User

Finally, let's use the new user and context to deploy a simple application.

#kubectl create deployment nginx --image=nginx --dry-run=client -o json > deploy.json

#kubectl run nginx --image=nginx --dry-run=client -o json

Command Explanation:

• 'create deployment': Generates a deployment resource for an nginx application.
• '--dry-run=client': Simulates the deployment without actually applying it, and outputs the result as JSON.

Conclusion

By following these steps, you've successfully created a user in Kubernetes, assigned roles, and configured contexts for easier management. This setup is fundamental to maintaining a secure and efficient Kubernetes environment, especially in multi-user scenarios. Engage your audience by asking if they've tried creating users in Kubernetes or how they handle user access in their clusters.

Feel free to connect and share insights !