![[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!](https://beyondjapan.com/cms/wp-content/uploads/2022/12/recruit_blog_banner-768x344.jpg)
[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!
![[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services](https://beyondjapan.com/cms/wp-content/uploads/2021/03/AWS_構築・運用保守-768x344.png)
[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services
![[Successor to CentOS] AlmaLinux OS server construction/migration service](https://beyondjapan.com/cms/wp-content/uploads/2023/08/almalinux_blogbanner-768x344.png)
[Successor to CentOS] AlmaLinux OS server construction/migration service
![[For WordPress only] Cloud server “Web Speed”](https://beyondjapan.com/cms/wp-content/uploads/2022/11/webspeed_blog_banner-768x344.png)
[For WordPress only] Cloud server “Web Speed”
![[Cheap] Website security automatic diagnosis “Quick Scanner”](https://beyondjapan.com/cms/wp-content/uploads/2023/04/quick_eyecatch_blogbanner-768x345.jpg)
[Cheap] Website security automatic diagnosis “Quick Scanner”
![[Reservation system development] EDISONE customization development service](https://beyondjapan.com/cms/wp-content/uploads/2023/06/edisone_blog_banner-768x345.jpg)
[Reservation system development] EDISONE customization development service
![[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”](https://beyondjapan.com/cms/wp-content/uploads/2021/03/Appmill_ブログバナー-768x344.png)
[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”
![[Compatible with over 200 countries] Global eSIM “Beyond SIM”](https://beyondjapan.com/cms/wp-content/uploads/2024/05/beyond_esim_blog_slider1-768x345.jpg)
[Compatible with over 200 countries] Global eSIM “Beyond SIM”
![[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”](https://beyondjapan.com/cms/wp-content/uploads/2024/05/china-sim_blogbanner-768x345.jpg)
[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”
![[Global exclusive service] Beyond's MSP in North America and China](https://beyondjapan.com/cms/wp-content/uploads/2024/06/gloval_surport_blog_slider-768x345.jpg)
[Global exclusive service] Beyond's MSP in North America and China
![[YouTube] Beyond official channel “Biyomaru Channel”](https://beyondjapan.com/cms/wp-content/uploads/2021/07/バナー1-768x339.jpg)
[YouTube] Beyond official channel “Biyomaru Channel”
[Kubernetes] How to create a user for cluster connection
table of contents
Hello!
My name is Hide, the ramen king of Beyond Osaka Office.
This is my 14th post.
Last time, I wrote about how to configure basic authentication with Cloudflare Workers!
The settings are relatively easy, but if you make a mistake in the settings, you may not be able to view the site.
If you are interested, please check it out as we will introduce the setting method in an easy-to-understand manner so as not to fail.
overview
I want to create a separate user to connect to the kubernetes cluster, but I don't know how . . . .
I want to adjust the privileges given to users, but I really don't know. . .
Oh? Is this already full?
Have you ever thought of anything like the above?
I also knew that it was possible to create a separate user to connect to the cluster, but the more I looked into it, the more difficult it became. . .
After a lot of trial and error, I was finally able to create it, so if you want to create one, please refer to it!
Let's try it! !
Precautions
This procedure does not cover basic Kubernetes concepts or resources.
Also, for managed Kubernetes clusters in each cloud such as EKS or GKE, the method for adding users may be different.
If you are operating Kubernetes in the cloud, please check each reference.
procedure
1. Create and encode the key
1-1.Create private key/public key
*Please enter your username in {username}
cd .kube/ openssl genrsa -out {UserName}.key 2048 openssl req -new -key {UserName}.key -out {UserName}.csr -subj "/CN={UserName}"
Example: If the username is example-test
openssl genrsa -out example-test.key 2048 openssl req -new -key example-test.key -out example-test.csr -subj "/CN=example-test"
1-2.Encode with base64
cat {UserName}.csr | base64 | tr -d "\n"
⇒The encoded value will be output, so make a note of it.
example:
[example-test@bastion01 ~]$ cat example-test.csr | base64 | tr -d "\n" xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2. Apply and configure the created csr
2-1 Create a .yaml file
Put the user name in
{ UserName *Put the encoded value in {EncodeValue}
vi {UserName}-csr.yaml apiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: name: {UserName} spec: request: {EncodeValue} signerName: kubernetes.io/kube-apiserver-client usages: - client auth
example:
vi example-test-csr.yaml apiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: name: example-test spec: request: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx signerName: kubernetes.io/kube-apiserver-client usages: - client auth
2-2 Apply the .yaml file
kubectl apply -f {UserName}-csr.yaml
example:
[example-test@bastion01 ~]$ kubectl apply -f example-test-csr.yaml certificatesigningrequest.certificates.k8s.io/example-test created
2-3.Check if it has been applied
*The status is Pending because the csr has not been approved *Please
note the value output to NAME
kubectl get csr
example:
[example-test@bastion01 ~]$ kubectl get csr NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION example-test 12s kubernetes.io/kube-apiserver-client xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 〈none〉 Pending
2-4.Approve csr
*Please enter the NAME value you recorded earlier in {CsrName}
kubectl certificate approve {CsrName}
example:
[example-test@bastion01 ~]$ kubectl certificate approve example-test certificatesigningrequest.certificates.k8s.io/example-test approved
2-5.Check approval of csr
*If the CONDITION column shows approved, it is approved.
kubectl get csr
example:
[example-test@bastion01 ~]$ kubectl get csr NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION example-test 14m kubernetes.io/kube-apiserver-client xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 〈none〉 Approved,Issued
2-6.Create crt
*Please enter the NAME value you recorded earlier in {CsrName}
kubectl get csr {CrtName} -o jsonpath='{.status.certificate}' | base64 -d > {CrtName}.crt
3.Add User and Context
3-1.Add user and certificate information
*Please enter your username in {UserName}
kubectl config set-credentials {UserName} --client-key={UserName}.key --client-certificate={UserName}.crt --embed-certs=true
example:
[example-test@bastion01 ~]$ kubectl config set-credentials example-test --client-key=example-test.key --client-certificate=example-test.crt --embed-certs=true User "example- test"
*Settings will be automatically added to .kube/config as shown below.
cat ~/.kube/config
- name: example-test user: client-certificate-data: xxxxxxxxxxxxxxxxxxxxx client-key-data: xxxxxxxxxxxxxxxxxxxxxx
3-2. Remember the cluster name
cat ~/.kube/config
Example:
*name is the cluster name
apiVersion: v1 clusters: - cluster: certificate-authority-data: xxxxxxxxxxxxxxxxxxxxxxx server: https://xxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxxxxxxx
3-3.Add to context
*Please enter the user name in {UserName}
*Please enter the value you wrote down earlier in {ClusterName}
kubectl config set-context {UserName} --cluster={ClusterName} --user={UserName}
example:
[example-test@example-testbastion01 ~]$ kubectl config set-context example-test --cluster=xxxxxxxxxxxx --user=example-test Context "example-test" created.
*Settings will be automatically added to .kube/config as shown below.
contexts: - context: cluster: xxxxxxxxxxx user: xxxxxxxxxxxxxx name: xxxxxxxxxxxxxxx - context: cluster: xxxxxxxxxxxxxx user: example-test name: example-test
4. Grant permissions
Creating a new cluster role and giving it arbitrary privileges
1.Create a ClusterRole
*Please enter the cluster role name in {ClusterRoleName}
*{VerbName} ・Please set {ResourceName} referring to the table below
kubectl create clusterrole {ClusterRoleName} --verb={VerbName} --resource={ResourceName}
*List of main resource names and verb names
| resource name | namespace | nodes | pods | services | ingress | sercrets | configmaps |
| verb name | remarks |
| get | get resource |
| list | Get list of resources |
| create | Create resource |
| update | Update resource |
| patch | Partially update resources |
| delete | Delete resource |
| deletecollection | Delete resources in bulk |
| watch | Monitor resource changes |
Example: ReadOnly permission for Pods
[example-test@bastion01 ~]$ kubectl create clusterrole pod-readonly --verb=get,list,watch --resource=pods clusterrole.rbac.authorization.k8s.io/pod-readonly created
2. Check the cluster role you created
*Please enter the cluster role name in {ClusterRoleName}
kubectl describe clusterrole {ClusterRoleName}
example:
[example-test@bastion01 ~]$ kubectl describe clusterrole pod-readonly Name: pod-readonly Labels:<none> Annotations:<none> PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- pods [] [] [get list watch]
3. Grant privileges for the created cluster role to the user
*Please enter the cluster role binding name in {ClusterRoleName}
*Please enter the user name in {UserName}
kubectl create clusterrolebinding {ClusterRoleBindingName} --clusterrole={ClusterRoleName} --user={UserName}
example:
[example-test@bastion01 ~]$ kubectl create clusterrolebinding pod-readonly-binding --clusterrole=pod-readonly --user=example-test clusterrolebinding.rbac.authorization.k8s.io/pod-readonly-binding created
4. Check to grant permissions
*If Subjects contains the user name specified in user, there is no problem
kubectl describe clusterrolebinding {ClusterRoleBindingName}
example:
[example-test@bastion01 ~]$ kubectl describe clusterrolebinding pod-readonly-binding Name: pod-readonly-binding Labels:<none> Annotations:<none> Role: Kind: ClusterRole Name: pod-readonly-binding Subjects: Kind Name Namespace ---- ---- -------- User example-test
When giving a predefined cluster role
1. Grant predefined cluster role privileges to the user
* {ClusterRoleName} is the cluster role binding name
* {ClusterRoleName} is the cluster role name
* {UserName} is the user name Please put it in
kubectl create clusterrolebinding {ClusterRoleBindingName} --clusterrole={ClusterRoleName} --user={UserName}
example:
[example-test@bastion01 ~]$ kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=example-test clusterrolebinding.rbac.authorization.k8s.io/cluster-admin-binding created
*List of predefined cluster roles
| Default ClusterRole | Default ClusterRoleBinding | explanation |
| cluster-admin | system:masters group | Allows superuser to perform any action on any resource. When used with ClusterRoleBinding, it gives you complete control over all resources within the cluster and within all namespaces. When used with a RoleBinding, it gives you full control over all resources within the RoleBinding's Namespace, including the Namespace itself. |
| admin | None | Grants administrator access, intended to be granted within a Namespace using a RoleBinding. When used with a RoleBinding, it allows read/write access to most resources in the Namespace, including the ability to create Roles and RoleBindings within the Namespace. This Role does not grant write access to resource quotas or the Namespace itself. |
| edit | None | Allows read/write access to most objects within a namespace. This Role does not allow viewing or modifying Roles or RoleBindings. However, this Role can access Secrets to run Pods as any ServiceAccount in a Namespace, so it can be used to obtain the API access level of any ServiceAccount in a Namespace. |
| view | None | Grants read-only access to view most objects within a namespace. Role or RoleBinding cannot be displayed. This Role does not allow viewing Secrets because reading the contents of Secrets provides access to the Namespace's ServiceAccount credentials. This allows API access as any ServiceAccount within the Namespace (a form of privilege escalation). |
2. Confirm permissions are granted.
*If Subjects contains the user name specified in user, there is no problem.
kubectl describe clusterrolebinding {ClusterRoleBindingName}
example:
[example-test@bastion01 ~]$ kubectl describe clusterrolebinding cluster-admin-binding Name: cluster-admin-binding Labels:<none> Annotations:<none> Role: Kind: ClusterRole Name: cluster-admin Subjects: Kind Name Namespace ---- ---- --------- User example-test
5.Operation confirmation
5-1.Change context
*Please enter the user name in {UserName}
*The user to be used here will be changed.
kubectl config use-context {UserName}
example:
[example-test@bastion01 ~]$ kubectl config use-context example-test Switched to context "example-test".
5-2.Confirm context (current user)
kubectl config current-context
example:
[example-test@bastion01 ~]$ kubectl config current-context example-test
5-3.Execute command with kubectl
*If ReadOnly permission is given to the Pod, it will be as follows.
[example-test@bastion01 ~]$ kubectl get po NAME READY STATUS RESTARTS AGE xxxx-f5p2t 1/1 Ready 0 261d
[example-test@bastion01 ~]$ kubectl get node Error from server (Forbidden): nodes is forbidden: User "example-test" cannot list resource "nodes" in API group "" at the cluster scope
summary
How was it?
Once you create a user to connect to your cluster in Kubernetes, you can freely manage user privileges.
Reusing a user with cluster-admin privileges may lead to unexpected accidents during operation, so
if you are operating with multiple people, we recommend that you create users as similar to Linux users as possible!
Please refer to it when operating Kubernetes!
5
Loading...5 
![[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution](https://beyondjapan.com/cms/wp-content/uploads/2024/05/59b34db220409b6211b90ac6a7729303-1024x444.png)
[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution
The person who wrote this article
About the author
