New administrator user on Kubernetes

December 18, 2019 0 Comments Kubernetes, rbac, security, tls, openssl

Yay! Another fellow admin!

Hello guys,
in this tutorial I show and explain commands used to generate new TLS certificates for a new "admin" on your Kubernetes cluster.


 As requester

Fist of all, generate a private key of the user:

openssl genrsa -out sam.key 4096  

Create a file named sam.cnf

[ req ]
default_bits = 2048  
prompt = no  
default_md = sha256  
distinguished_name = dn

[ dn ]
CN = sam  
O = administrators

[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always  
basicConstraints=CA:FALSE  
keyUsage=keyEncipherment,dataEncipherment  
extendedKeyUsage=serverAuth,clientAuth  

This cnf files set user "sam" (CN).

Create csr file with

openssl req -config ./sam.cnf -new -key sam.key -nodes -out sam.csr  

Now give your sam.csr to a system administrator.


 As an existing administrator

As a system administrator, you should create a CertificateSigningRequest using csr object

Create yaml

cat <<EOF | kubectl apply -f -  
apiVersion: certificates.k8s.io/v1beta1  
kind: CertificateSigningRequest  
metadata:  
  name: sam-request
spec:  
  groups:
  - system:authenticated
  request: $(cat sam.csr | base64 | tr -d '\n')
  usages:
  - client auth
EOF  

Then, approve request using:

kubectl certificate approve sam-request  

Now you can extract crt with this command:

kubectl get csr sam-request -o jsonpath='{.status.certificate}' | base64 --decode > sam.crt  

Now, attach clusterrole cluster-admin to sam (as a reminder, sam is defined on CN) user

kubectl create clusterrolebinding sam-admin --clusterrole=cluster-admin --user=sam  

Again, as requester

Let administrators send you ca.crt and sam.crt to generate your kubeconfig

Set cluster info

export CURRENT_PATH=$(pwd)  
kubectl config --kubeconfig=config-demo set-cluster development --server=https://yourendpoint:6443 --certificate-authority=fullpath/ca.crt  

Set user info

kubectl config --kubeconfig=config-demo set-credentials sam --client-certificate=fullpath/sam.crt --client-key=fullpath/sam.key  

Create new context "development"

kubectl config --kubeconfig=config-demo set-context development --cluster=development --user=sam  

Set current context

kubectl config --kubeconfig=config-demo use-context development  

Now everything should work using your new kubeconfig file!

kubectl get nodes --kubeconfig=/Volumes/Data/Nutellino/terraform/cka/sam-crt/config-demo  

Cheers! :)


lock on banner by Technology vector created by rawpixel.com - www.freepik.com

Samuele Chiocca
Padova, italy Website