Skip to content

User Creation

In this page we demonstrate steps needed to create Users as presented in Users Management.

When managing a kubernetes cluster, you'll probably need to create different users with different restriction. To do so, we identify two main steps :

  • Create a user account with the most restricted access to kubernetes resources
  • Elevate that user privileges.

Warning

Solution illustrated in User Management is one of the many existings solutions that can be applied in your organization.

This ideology may or may not fit to your company culture. Nonetheless, there should be a lot of similarities on how user creation is tackled.

Info

In this page, we assume you are using minikube as kubernetes cluster. By default, minikube grants you a super-admin user-account.

Prerequisites

Before going through the actual user creation process, a few steps are required.

Use an admin account

Creating a user is an admin operation. All the following commands and manipulations must be executed using an admin account.

Create a namespace

We will be limiting our new user mytenant-user to a single namespace mytenant.

To create that namespace, simply run :

kubectl create namespace mytenant

Create a new User

Generate ssl certificates

kubectl commands (or more generally any interaction with kubernetes resources) are made through http. Because of that, the new user will need certificates to authenticate against the APIServer of kubernetes (a kubernetes controller).

We'll use openssl to generate certificate for the new user.

Tip

You might need to comment this line in your /etc/ssl/openssl.cnf

...
RANDFILE               = $ENV::HOME/.rnd
...
# Generate a key
openssl genrsa -out mytenant-user.key 2048
openssl req -new -key mytenant-user.key -out mytenant-user.csr -subj "/CN=mytenant-user/O=punch"


# on minikube
# CA_LOCATION=~/.minikube
# on production cluster
# CA_LOCATION=/etc/kubernetes/pki/

# in our example, we will be using minikube
sudo CA_LOCATION=~/.minikube \
openssl x509 -req -in mytenant-user1.csr \
             -CA $CA_LOCATION/ca.crt \
             -CAkey $CA_LOCATION/ca.key \
             -CAcreateserial \
             -out mytenant-user.crt \
             -days 500

Add user to kubeconfig

# add our generated credentials to KUBECONFIG
kubectl config set-credentials mytenant-user \
        --client-certificate=$(pwd)/mytenant-user.crt  \
        --client-key=$(pwd)/mytenant-user.key

# add context information to KUBECONFIG
kubectl config set-context mytenant-user-context \
               --cluster=minikube \
               --namespace=mytenant \
               --user=mytenant-user

You can now check if "you are authorized" to make requests to the Apiserver :

kubectl --context=mytenant-user-context get pods
It should fail :
Error from server (Forbidden): pods is forbidden: User "mytenant-user" cannot list resource "pods" in API group "" in the namespace "mytenant"

That's because we need to grant permissions to this new user.

Elevate user permissions

Create role

kubectl apply -f- <<EOF
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: mytenant
  name: punch-users-basic
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]
EOF

A side note: adding the lines below will give the service account exec RBAC on pods

- apiGroups: [ "" ]
  resources: [ "pods/exec" ]
  verbs: [ "create" ]

Bind role to user

kubectl apply -f- <<EOF
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: punch-users-basic-binding
  namespace: mytenant
subjects:
- kind: User
  name: mytenant-user
  apiGroup: ""
roleRef:
  kind: Role
  name: punch-users-basic
  apiGroup: ""
EOF

Now, check again that you can list pods with this user :

kubectl --context=mytenant-user-context get pods

Packaging

Create kube config

If you look at your kube config :

kubectl config view

You should see something like :

apiVersion: v1
clusters:
  - cluster:
      certificate-authority: /home/user1/.minikube/ca.crt
      extensions:
        - extension:
            last-update: Sat, 03 Jul 2021 20:42:24 CEST
            provider: minikube.sigs.k8s.io
            version: v1.18.1
          name: cluster_info
      server: https://192.168.49.2:8443
    name: minikube
contexts:
  - context:
      cluster: minikube
      extensions:
        - extension:
            last-update: Sat, 03 Jul 2021 20:42:24 CEST
            provider: minikube.sigs.k8s.io
            version: v1.18.1
          name: context_info
      namespace: default
      user: minikube
    name: minikube
current-context: minikube
kind: Config
preferences: { }
users:
  - name: minikube
    user:
      client-certificate: /home/user1/.minikube/profiles/minikube/client.crt
      client-key: /home/user1/.minikube/profiles/minikube/client.key
  - name: mytenant-user
    user:
      client-certificate: /home/user1/mytenant-user.crt
      client-key: /home/user1/mytenant-user.key
From this config, you want to extract the essential information and create a new kube config file to provide to your user.

Here's what the new config should look like :

apiVersion: v1
clusters:
  - cluster:
      # watchout: path is changed
      certificate-authority: /home/mytenant-user/.minikube/ca.crt
      extensions:
        - extension:
            last-update: Sat, 03 Jul 2021 20:42:24 CEST
            provider: minikube.sigs.k8s.io
            version: v1.18.1
          name: cluster_info
      server: https://192.168.49.2:8443
    name: minikube
contexts:
  - context:
      cluster: minikube
      extensions:
        - extension:
            last-update: Sat, 03 Jul 2021 20:42:24 CEST
            provider: minikube.sigs.k8s.io
            version: v1.18.1
          name: context_info
      # we changed default namespace
      namespace: mytenant
      # we changed default user
      user: mytenant-user
    name: minikube
current-context: minikube
kind: Config
preferences: { }
users:
  - name: mytenant-user
    user:
      # watchout: path is changed
      client-certificate: /home/mytenant-user/mytenant-user.crt
      client-key: /home/mytenant-user/mytenant-user.key

Send files

You can now provide to your user :

  • The kube config file
  • The cluster CA
  • The user certificates