How to create a user in k8s using Minikube
Generate .key
openssl genrsa -out user1.key 2048
Generate .csr(certificate sign request)
openssl req -new \
-key user1.key \
-out user1.csr \
-subj "/CN=user1/O=eralabs"
check the minikube folder to verify there ca.cert and ca.key files exist.
ls ~/.minikube/
Now after creating the key and CSR, generate the certificate using these two things.
openssl x509 -req \
-in user1.csr \
-CA ~/.minikube/ca.crt \
-CAkey ~/.minikube/ca.key \
-CAcreateserial \
-out user1.crt \
-days 500
Now set credentials for the user using a certificate that we generated above and the key.
kubectl config set-credentials user1 \
--client-certificate=user1.crt \
--client-key=user1.key
Now set the context for the user
kubectl config set-context user1-context \
--cluster=minikube \
--namespace=default \
--user=user1
Now view the current context using the below command:
kubectl config view | grep current-context
you will get Minikube in the current-context like this : current-context: minikube
use your context which you have created in set-context command which is user1-context.
kubectl config use-context user1-context
kubectl config view | grep current-context
Now you get the user1-context in the current-context like this : current-context: user1-context
Now you have successfully created user1 and switched into it hurrraahhhhh but wait wait right now you cannot do anything with the k8s cluster resources.
if you do kubectl get pods
you will get following message.
Error from server (Forbidden): pods is forbidden: User "user1" cannot list resource "pods" in API group "" in the namespace "default"
Now go back to minikube context the same way came user1-contect.
Here role and role-binding come into the picture:
Role :
Understand role as permissions which allows which kind of actions you can perform in the cluster within that user which you have created.
create role.yaml
kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: pod-reader rules: - apiGroups: [""] # the core API group resources: ["pods", "services"] verbs: ["get", "watch", "list"]
kubectl apply -f role.yaml
kubectl get role
Understand role-binding:
For connecting role to user we create role-binding.
Role-binding is just yaml file it contains two important fields: Subjects and roleReference
In subjects, we define to which user we want to bind the role that we created.
In roleReference, we define which role we want to allocate to the user.
Here is the role-Bindging.yaml
kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-pods namespace: default subjects: - kind: User name: user1 apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
kubectl apply -f role-binding.yaml
kubectl get role-binding
Now switched to the user1-context. and do kubectl get pods or svc. you will get the things.