Your cart is currently empty!
Kubernetes: User Authorization with Certificate
Generate a private key:
Shell
x
1
1
openssl genrsa -out newuser.key 2048Generate a certificate signing request (csr) from private key:
CN is the user, O is the group.
Shell
1
1
1
openssl req -new -key newuser.key -out newuser.csr -subj "/CN=user/O=dev/O=ops"We create CertificateSigningRequest to Kubernetes:
.spec.signerName read here.
YAML
1
13
13
1
apiVersioncertificates.k8s.io/v12
kindCertificateSigningRequest3
metadata4
namenewuser5
spec6
requestLS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVN...7
signerNamekubernetes.io/kube-apiserver-client8
usages9
client auth10
# Below this is not required11
expirationSeconds864000 # one day, default is one year 12
groups13
system:authenticatedOnce you send the CSR, you can query it with:
Shell
1
1
1
kubectl get csrNow Admin will approve/deny the CSR:
Shell
1
2
1
kubectl certificate approve newuser2
kubectl certificate deny newuserOnce you got approved, fetch the signed certificate and wrap in base64:
Shell
1
1
1
kubectl get csr/newuser -o jsonpath='{.status.certificate}' | base64 -d > newuser.crtUsing HTTP request:
Shell
1
1
1
curl https://<kubernetes-ip>:<kubernetes-port>/api --cert newuser.crt --key newuser.key --insecureUsing Kubeconfig:
Shell
1
1
1
kubectl config set-credentials newuser --client-key=newuser.key --client-certificate=newuser.crt --embed-certs=trueSet a new context:
Shell
1
1
1
kubectl config set-context newuser --current --user=newuserSwitch to new context:
Shell
1
1
1
kubectl config use-context newuserAt this point you should be able to access resources allowed by Role and RoleBinding for this user.
References: