Debian 13 trixie
Sponsored Link

Kubernetes : Add normal Users2025/08/25
 

Add normal users who can use the Kubernetes cluster.

In this example, a Kubernetes cluster is configured using four nodes as follows. 

+----------------------+   +----------------------+
|  [ ctrl.srv.world ]  |   |   [ dlp.srv.world ]  |
|     Manager Node     |   |     Control Plane    |
+-----------+----------+   +-----------+----------+
        eth0|10.0.0.25             eth0|10.0.0.30
            |                          |
------------+--------------------------+-----------
            |                          |
        eth0|10.0.0.51             eth0|10.0.0.52
+-----------+----------+   +-----------+----------+
| [ node01.srv.world ] |   | [ node02.srv.world ] |
|     Worker Node#1    |   |     Worker Node#2    |
+----------------------+   +----------------------+
[1] As an example, add a user with X509 client certificate authentication method.
# specify the user name to be created in [/CN=***]

root@ctrl:~#
openssl ecparam -name prime256v1 -genkey -out kubernetes.key

root@ctrl:~#
openssl req -new -key kubernetes.key -out kubernetes.csr -subj "/CN=serverworld"

root@ctrl:~#
CSR=$(cat kubernetes.csr | base64 | tr -d '\n') 

root@ctrl:~# cat <<EOF > serverworld-csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: serverworld-csr
spec:
  request: $CSR
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth
EOF
# register the CSR

root@ctrl:~#
kubectl apply -f serverworld-csr.yaml

certificatesigningrequest.certificates.k8s.io/serverworld-csr created
root@ctrl:~#
kubectl get csr 

NAME              AGE     SIGNERNAME                                    REQUESTOR                   REQUESTEDDURATION   CONDITION
csr-cd8tq         3m33s   kubernetes.io/kube-apiserver-client-kubelet   system:bootstrap:abcdef     <none>              Approved,Issued
csr-fc5b2         12m     kubernetes.io/kube-apiserver-client-kubelet   system:node:dlp.srv.world   <none>              Approved,Issued
csr-zq94s         5m58s   kubernetes.io/kube-apiserver-client-kubelet   system:bootstrap:abcdef     <none>              Approved,Issued
serverworld-csr   8s      kubernetes.io/kube-apiserver-client           kubernetes-admin            <none>              Pending
# approve the CSR and export it to a certificate

root@ctrl:~#
kubectl certificate approve serverworld-csr

certificatesigningrequest.certificates.k8s.io/serverworld-csr approved
root@ctrl:~#
kubectl get csr serverworld-csr -o jsonpath='{.status.certificate}' | base64 --decode > kubernetes.crt

# assign a cluster role to new user
# for example, set [cluster-admin] for cluster administrator privileges

root@ctrl:~#
kubectl create clusterrolebinding serverworld --clusterrole=cluster-admin --user=serverworld

clusterrolebinding.rbac.authorization.k8s.io/serverworld created
# create a kubeconfig for new user

root@ctrl:~#
SERVER=$(kubectl config view -o jsonpath='{.clusters[].cluster.server}')

root@ctrl:~#
CLUSTER=$(kubectl config view -o jsonpath='{.contexts[].context.cluster}')

root@ctrl:~#
ROOTCA=$(kubectl get cm kube-root-ca.crt -o jsonpath="{['data']['ca\.crt']}"| base64 | tr -d '\n')

root@ctrl:~#
kubectl config set-cluster kubernetes --server=$SERVER --kubeconfig=config

Cluster "kubernetes" set.
root@ctrl:~#
kubectl config set clusters.kubernetes.certificate-authority-data $ROOTCA --kubeconfig=config

Property "clusters.kubernetes.certificate-authority-data" set.
root@ctrl:~#
kubectl config set-context kubernetes --cluster=$CLUSTER --user=serverworld --kubeconfig=config

Context "kubernetes" created.
root@ctrl:~#
kubectl config set-credentials serverworld --client-certificate=kubernetes.crt --client-key=kubernetes.key --kubeconfig=config

User "serverworld" set.
root@ctrl:~#
kubectl config use-context kubernetes --kubeconfig=config

Switched to context "kubernetes".
# give the following three files to any user

root@ctrl:~#
ll kubernetes.crt kubernetes.key config 

-rw------- 1 root root 1847 Aug 22 19:31 config
-rw-r--r-- 1 root root  818 Aug 22 19:30 kubernetes.crt
-rw------- 1 root root  302 Aug 22 19:29 kubernetes.key
[2] By creating a [.kube] directory under the home directory of any user and placing the received files there, the Kubernetes cluster will be available with the permissions according to the role you set.
debian@ctrl:~$
ll ~/.kube 

total 12
-rw------- 1 debian debian 1847 Aug 22 19:34 config
-rw-r--r-- 1 debian debian  818 Aug 22 19:34 kubernetes.crt
-rw------- 1 debian debian  302 Aug 22 19:34 kubernetes.key
debian@ctrl:~$
kubectl get nodes 

NAME               STATUS   ROLES           AGE   VERSION
dlp.srv.world      Ready    control-plane   19m   v1.33.4
node01.srv.world   Ready    <none>          13m   v1.33.4
node02.srv.world   Ready    <none>          10m   v1.33.4
Matched Content