[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Successor to CentOS] AlmaLinux OS server construction/migration service

[Successor to CentOS] AlmaLinux OS server construction/migration service

[For WordPress only] Cloud server “Web Speed”

[For WordPress only] Cloud server “Web Speed”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Reservation system development] EDISONE customization development service

[Reservation system development] EDISONE customization development service

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[Global exclusive service] Beyond's MSP in North America and China

[Global exclusive service] Beyond's MSP in North America and China

[YouTube] Beyond official channel “Biyomaru Channel”

[YouTube] Beyond official channel “Biyomaru Channel”

[Kubernetes] How to create a user for cluster connection

*Kirimen (Osaka Juso)

Hello!
My name is Hide, the ramen king of Beyond Osaka Office.
This is my 14th post.

Last time, I wrote about how to configure basic authentication with Cloudflare Workers!
The settings are relatively easy, but if you make a mistake in the settings, you may not be able to view the site.
If you are interested, please check it out as we will introduce the setting method in an easy-to-understand manner so as not to fail.

How to do basic authentication with Cloudflare Workers

overview

I want to create a separate user to connect to the kubernetes cluster, but I don't know how . . . .
I want to adjust the privileges given to users, but I really don't know. . .
Oh? Is this already full?

 

Have you ever thought of anything like the above?
I also knew that it was possible to create a separate user to connect to the cluster, but the more I looked into it, the more difficult it became. . .
After a lot of trial and error, I was finally able to create it, so if you want to create one, please refer to it!
Let's try it! !

Precautions

This procedure does not cover basic Kubernetes concepts or resources.
Also, for managed Kubernetes clusters in each cloud such as EKS or GKE, the method for adding users may be different.
If you are operating Kubernetes in the cloud, please check each reference.

procedure

1. Create and encode the key

1-1.Create private key/public key

*Please enter your username in {username}

cd .kube/ openssl genrsa -out {UserName}.key 2048 openssl req -new -key {UserName}.key -out {UserName}.csr -subj "/CN={UserName}"

Example: If the username is example-test

openssl genrsa -out example-test.key 2048 openssl req -new -key example-test.key -out example-test.csr -subj "/CN=example-test"

1-2.Encode with base64

cat {UserName}.csr | base64 | tr -d "\n"

⇒The encoded value will be output, so make a note of it.

example:

[example-test@bastion01 ~]$ cat example-test.csr | base64 | tr -d "\n" xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

2. Apply and configure the created csr

2-1 Create a .yaml file

Put the user name in
{ UserName *Put the encoded value in {EncodeValue}

vi {UserName}-csr.yaml apiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: name: {UserName} spec: request: {EncodeValue} signerName: kubernetes.io/kube-apiserver-client usages: - client auth

example:

vi example-test-csr.yaml apiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: name: example-test spec: request: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx signerName: kubernetes.io/kube-apiserver-client usages: - client auth

2-2 Apply the .yaml file

kubectl apply -f {UserName}-csr.yaml

example:

[example-test@bastion01 ~]$ kubectl apply -f example-test-csr.yaml certificatesigningrequest.certificates.k8s.io/example-test created

2-3.Check if it has been applied

*The status is Pending because the csr has not been approved *Please
note the value output to NAME

kubectl get csr

example:

[example-test@bastion01 ~]$ kubectl get csr NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION example-test 12s kubernetes.io/kube-apiserver-client xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 〈none〉 Pending

2-4.Approve csr

*Please enter the NAME value you recorded earlier in {CsrName}

kubectl certificate approve {CsrName}

example:

[example-test@bastion01 ~]$ kubectl certificate approve example-test certificatesigningrequest.certificates.k8s.io/example-test approved

2-5.Check approval of csr

*If the CONDITION column shows approved, it is approved.

kubectl get csr

example:

[example-test@bastion01 ~]$ kubectl get csr NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION example-test 14m kubernetes.io/kube-apiserver-client xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 〈none〉 Approved,Issued

2-6.Create crt

*Please enter the NAME value you recorded earlier in {CsrName}

kubectl get csr {CrtName} -o jsonpath='{.status.certificate}' | base64 -d > {CrtName}.crt

3.Add User and Context

3-1.Add user and certificate information

*Please enter your username in {UserName}

kubectl config set-credentials {UserName} --client-key={UserName}.key --client-certificate={UserName}.crt --embed-certs=true

example:

[example-test@bastion01 ~]$ kubectl config set-credentials example-test --client-key=example-test.key --client-certificate=example-test.crt --embed-certs=true User "example- test"

*Settings will be automatically added to .kube/config as shown below.

cat ~/.kube/config
- name: example-test user: client-certificate-data: xxxxxxxxxxxxxxxxxxxxx client-key-data: xxxxxxxxxxxxxxxxxxxxxx

3-2. Remember the cluster name

cat ~/.kube/config

Example:
*name is the cluster name

apiVersion: v1 clusters: - cluster: certificate-authority-data: xxxxxxxxxxxxxxxxxxxxxxx server: https://xxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxxxxxxx

3-3.Add to context

*Please enter the user name in {UserName}
*Please enter the value you wrote down earlier in {ClusterName}

kubectl config set-context {UserName} --cluster={ClusterName} --user={UserName}

example:

[example-test@example-testbastion01 ~]$ kubectl config set-context example-test --cluster=xxxxxxxxxxxx --user=example-test Context "example-test" created.

*Settings will be automatically added to .kube/config as shown below.

contexts: - context: cluster: xxxxxxxxxxx user: xxxxxxxxxxxxxx name: xxxxxxxxxxxxxxx - context: cluster: xxxxxxxxxxxxxx user: example-test name: example-test

 

4. Grant permissions

Creating a new cluster role and giving it arbitrary privileges

1.Create a ClusterRole
*Please enter the cluster role name in {ClusterRoleName}
*{VerbName} ・Please set {ResourceName} referring to the table below

kubectl create clusterrole {ClusterRoleName} --verb={VerbName} --resource={ResourceName}

*List of main resource names and verb names

resource name namespace nodes pods services ingress sercrets configmaps
verb name remarks
get get resource
list Get list of resources
create Create resource
update Update resource
patch Partially update resources
delete Delete resource
deletecollection Delete resources in bulk
watch Monitor resource changes

 

Example: ReadOnly permission for Pods

[example-test@bastion01 ~]$ kubectl create clusterrole pod-readonly --verb=get,list,watch --resource=pods clusterrole.rbac.authorization.k8s.io/pod-readonly created

2. Check the cluster role you created
*Please enter the cluster role name in {ClusterRoleName}

kubectl describe clusterrole {ClusterRoleName}

example:

[example-test@bastion01 ~]$ kubectl describe clusterrole pod-readonly Name: pod-readonly Labels:<none> Annotations:<none> PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- pods [] [] [get list watch]

3. Grant privileges for the created cluster role to the user
*Please enter the cluster role binding name in {ClusterRoleName}
*Please enter the user name in {UserName}

kubectl create clusterrolebinding {ClusterRoleBindingName} --clusterrole={ClusterRoleName} --user={UserName}

example:

[example-test@bastion01 ~]$ kubectl create clusterrolebinding pod-readonly-binding --clusterrole=pod-readonly --user=example-test clusterrolebinding.rbac.authorization.k8s.io/pod-readonly-binding created

4. Check to grant permissions
*If Subjects contains the user name specified in user, there is no problem

kubectl describe clusterrolebinding {ClusterRoleBindingName}

example:

[example-test@bastion01 ~]$ kubectl describe clusterrolebinding pod-readonly-binding Name: pod-readonly-binding Labels:<none> Annotations:<none> Role: Kind: ClusterRole Name: pod-readonly-binding Subjects: Kind Name Namespace ---- ---- -------- User example-test

When giving a predefined cluster role

1. Grant predefined cluster role privileges to the user
* {ClusterRoleName} is the cluster role binding name
* {ClusterRoleName} is the cluster role name
* {UserName} is the user name Please put it in

kubectl create clusterrolebinding {ClusterRoleBindingName} --clusterrole={ClusterRoleName} --user={UserName}

example:

[example-test@bastion01 ~]$ kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=example-test clusterrolebinding.rbac.authorization.k8s.io/cluster-admin-binding created

*List of predefined cluster roles

Default ClusterRole Default ClusterRoleBinding explanation
cluster-admin system:masters group Allows superuser to perform any action on any resource. When used with ClusterRoleBinding, it gives you complete control over all resources within the cluster and within all namespaces. When used with a RoleBinding, it gives you full control over all resources within the RoleBinding's Namespace, including the Namespace itself.
admin None Grants administrator access, intended to be granted within a Namespace using a RoleBinding. When used with a RoleBinding, it allows read/write access to most resources in the Namespace, including the ability to create Roles and RoleBindings within the Namespace. This Role does not grant write access to resource quotas or the Namespace itself.
edit None Allows read/write access to most objects within a namespace. This Role does not allow viewing or modifying Roles or RoleBindings. However, this Role can access Secrets to run Pods as any ServiceAccount in a Namespace, so it can be used to obtain the API access level of any ServiceAccount in a Namespace.
view None Grants read-only access to view most objects within a namespace. Role or RoleBinding cannot be displayed. This Role does not allow viewing Secrets because reading the contents of Secrets provides access to the Namespace's ServiceAccount credentials. This allows API access as any ServiceAccount within the Namespace (a form of privilege escalation).
・Reference materials
Use RBAC authorization
https://kubernetes.io/ja/docs/reference/access-authn-authz/rbac/

 

2. Confirm permissions are granted.
*If Subjects contains the user name specified in user, there is no problem.

kubectl describe clusterrolebinding {ClusterRoleBindingName}

example:

[example-test@bastion01 ~]$ kubectl describe clusterrolebinding cluster-admin-binding Name: cluster-admin-binding Labels:<none> Annotations:<none> Role: Kind: ClusterRole Name: cluster-admin Subjects: Kind Name Namespace ---- ---- --------- User example-test

5.Operation confirmation

5-1.Change context

*Please enter the user name in {UserName}
*The user to be used here will be changed.

kubectl config use-context {UserName}

example:

[example-test@bastion01 ~]$ kubectl config use-context example-test Switched to context "example-test".

5-2.Confirm context (current user)

kubectl config current-context

example:

[example-test@bastion01 ~]$ kubectl config current-context example-test

5-3.Execute command with kubectl

*If ReadOnly permission is given to the Pod, it will be as follows.

[example-test@bastion01 ~]$ kubectl get po NAME READY STATUS RESTARTS AGE xxxx-f5p2t 1/1 Ready 0 261d
 
[example-test@bastion01 ~]$ kubectl get node Error from server (Forbidden): nodes is forbidden: User "example-test" cannot list resource "nodes" in API group "" at the cluster scope
 

summary

How was it?
Once you create a user to connect to your cluster in Kubernetes, you can freely manage user privileges.
Reusing a user with cluster-admin privileges may lead to unexpected accidents during operation, so
if you are operating with multiple people, we recommend that you create users as similar to Linux users as possible!
Please refer to it when operating Kubernetes!

If you found this article helpful , please give it a like!
5
Loading...
5 votes, average: 1.00 / 15
764
X facebook Hatena Bookmark pocket
[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

The person who wrote this article

About the author

Hide@Infrastructure Engineer

It all started with a very interesting interview.
A mid-career employee of the System Solutions Department in Osaka.My
job is to build and operate servers and clouds!
I have the qualifications of LPIC1, AWS SAA, and OCI Architect Associate.

Actually, I love ramen and
have investigated over 100 stores in Osaka (。-∀-) I'm striving to become the Ramen King of Nibi Beyond
!

I'm also on Twitter, so please follow me (´∇`)
Click on the Twitter mark on the right corner! !