How to create a user in k8s using Minikube

Generate .key

openssl genrsa -out user1.key 2048

Generate .csr(certificate sign request)

openssl req -new \
    -key user1.key \
    -out user1.csr \
    -subj "/CN=user1/O=eralabs"

check the minikube folder to verify there ca.cert and ca.key files exist.

ls ~/.minikube/

Now after creating the key and CSR, generate the certificate using these two things.

openssl x509 -req \
    -in user1.csr \
    -CA ~/.minikube/ca.crt \
    -CAkey ~/.minikube/ca.key \
    -CAcreateserial \
    -out user1.crt \
    -days 500

Now set credentials for the user using a certificate that we generated above and the key.

kubectl config set-credentials user1 \
    --client-certificate=user1.crt \
    --client-key=user1.key

Now set the context for the user

kubectl config set-context user1-context \
    --cluster=minikube \
    --namespace=default \
    --user=user1

Now view the current context using the below command:

kubectl config view | grep current-context

you will get Minikube in the current-context like this : current-context: minikube

use your context which you have created in set-context command which is user1-context.

kubectl config use-context user1-context
kubectl config view | grep current-context

Now you get the user1-context in the current-context like this : current-context: user1-context

Now you have successfully created user1 and switched into it hurrraahhhhh but wait wait right now you cannot do anything with the k8s cluster resources.

if you do kubectl get pods
you will get following message.
Error from server (Forbidden): pods is forbidden: User "user1" cannot list resource "pods" in API group "" in the namespace "default"

Now go back to minikube context the same way came user1-contect.

Here role and role-binding come into the picture:

Role :

  • Understand role as permissions which allows which kind of actions you can perform in the cluster within that user which you have created.

  • create role.yaml

        kind: Role
        apiVersion: rbac.authorization.k8s.io/v1
        metadata:
          namespace: default
          name: pod-reader
        rules:
        - apiGroups: [""] # the core API group
          resources: ["pods", "services"]
          verbs: ["get", "watch", "list"]
    
kubectl apply -f role.yaml
kubectl get role

Understand role-binding:

  • For connecting role to user we create role-binding.

  • Role-binding is just yaml file it contains two important fields: Subjects and roleReference

  • In subjects, we define to which user we want to bind the role that we created.

  • In roleReference, we define which role we want to allocate to the user.

  • Here is the role-Bindging.yaml

        kind: RoleBinding
        apiVersion: rbac.authorization.k8s.io/v1
        metadata:
          name: read-pods
          namespace: default
        subjects:
        - kind: User
          name: user1
          apiGroup: rbac.authorization.k8s.io
        roleRef:
          kind: Role
          name: pod-reader
          apiGroup: rbac.authorization.k8s.io
    
kubectl apply -f role-binding.yaml
kubectl get role-binding

Now switched to the user1-context. and do kubectl get pods or svc. you will get the things.