New administrator user on Kubernetes

December 18, 2019 0 Comments Kubernetes, rbac, security, tls, openssl, english

Yay! Another fellow admin!

Hello guys,
in this tutorial I show and explain commands used to generate new TLS certificates for a new "admin" on your Kubernetes cluster.

 As requester

Fist of all, generate a private key of the user:

openssl genrsa -out sam.key 4096  

Create a file named sam.cnf

[ req ]
default_bits = 2048  
prompt = no  
default_md = sha256  
distinguished_name = dn

[ dn ]
CN = sam  
O = administrators

[ v3_ext ]

This cnf files set user "sam" (CN).

Create csr file with

openssl req -config ./sam.cnf -new -key sam.key -nodes -out sam.csr  

Now give your sam.csr to a system administrator.

 As an existing administrator

As a system administrator, you should create a CertificateSigningRequest using csr object

Create yaml

cat <<EOF | kubectl apply -f -  
kind: CertificateSigningRequest  
  name: sam-request
  - system:authenticated
  request: $(cat sam.csr | base64 | tr -d '\n')
  - client auth

Then, approve request using:

kubectl certificate approve sam-request  

Now you can extract crt with this command:

kubectl get csr sam-request -o jsonpath='{.status.certificate}' | base64 --decode > sam.crt  

Now, attach clusterrole cluster-admin to sam (as a reminder, sam is defined on CN) user

kubectl create clusterrolebinding sam-admin --clusterrole=cluster-admin --user=sam  

Again, as requester

Let administrators send you ca.crt and sam.crt to generate your kubeconfig

Set cluster info

export CURRENT_PATH=$(pwd)  
kubectl config --kubeconfig=config-demo set-cluster development --server=https://yourendpoint:6443 --certificate-authority=fullpath/ca.crt  

Set user info

kubectl config --kubeconfig=config-demo set-credentials sam --client-certificate=fullpath/sam.crt --client-key=fullpath/sam.key  

Create new context "development"

kubectl config --kubeconfig=config-demo set-context development --cluster=development --user=sam  

Set current context

kubectl config --kubeconfig=config-demo use-context development  

Now everything should work using your new kubeconfig file!

kubectl get nodes --kubeconfig=/Volumes/Data/Nutellino/terraform/cka/sam-crt/config-demo  

Cheers! :)

lock on banner by Technology vector created by -

Samuele Chiocca
Padova, italy Website
Kubernetes Engineer @SIGHUP