{"id":540,"date":"2017-12-01T07:00:36","date_gmt":"2017-12-01T15:00:36","guid":{"rendered":"http:\/\/andrewwippler.com\/?p=540"},"modified":"2017-11-30T13:31:13","modified_gmt":"2017-11-30T21:31:13","slug":"adding-a-user-to-k8s-rbac","status":"publish","type":"post","link":"https:\/\/andrewwippler.com\/2017\/12\/01\/adding-a-user-to-k8s-rbac\/","title":{"rendered":"Adding a user to k8s RBAC"},"content":{"rendered":"
In order to add a user to a kubernetes cluster, we will need several things: kubectl,\u00a0CA.crt and CA.key (found in your head node’s First, create a private key for the new user. In this example, we will name the file employee.key:<\/p>\n Next, we will need to create a certificate sign request – employee.csr – using the private key we just created (employee.key in this example). Make sure to specify your username and group in the Generate the final certificate employee.crt by approving the certificate sign request, employee.csr, you made earlier. In this example, the certificate will be valid for 90 days.<\/p>\n Give employee.crt<\/strong>, employee.key<\/strong>, and CA.crt<\/strong> to the new employee and have the employee follow the below steps.<\/p>\n Note<\/em>: You may move the certificates to a safe location since the commands included Sometimes I post to my blog so I remember how to do a particular thing. This is one of those times.<\/p>\n","protected":false},"excerpt":{"rendered":" In order to add a user to a kubernetes cluster, we will need several things: kubectl,\u00a0CA.crt and CA.key (found in your head node’s \/etc\/kubernetes\/pki folder), and openssl. First, create a private key for the new user. In this example, we will name the file employee.key: openssl genrsa -out employee.key 2048 Next, we will need to […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[6],"tags":[75,83,52],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts\/540"}],"collection":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/comments?post=540"}],"version-history":[{"count":3,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts\/540\/revisions"}],"predecessor-version":[{"id":543,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts\/540\/revisions\/543"}],"wp:attachment":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/media?parent=540"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/categories?post=540"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/tags?post=540"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\/etc\/kubernetes\/pki<\/code> folder), and openssl.<\/p>\n
openssl genrsa -out employee.key 2048<\/code><\/pre>\n
-subj<\/code> section (CN is for the username and O for the group).<\/p>\n
openssl req -new -key employee.key -out employee.csr -subj \"\/CN=username\/O=developer\"<\/code><\/pre>\n
openssl x509 -req -in employee.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out employee.crt -days 90<\/code><\/pre>\n
# Set up the cluster\n$ kubectl config set-cluster k8s.domain.tld --server https:\/\/api.k8s.domain.tld --certificate-authority \/path\/to\/CA.crt --embed-certs=true\n\n# Set up the credentials (a.k.a login information)\n$ kubectl config set-credentials <name> --client-certificate=\/path\/to\/cert.crt --client-key=\/path\/to\/cert.key --embed-certs=true\n\n# bind login to server\n$ kubectl config set-context k8s.domain.tld --cluster= k8s.domain.tld --user=<name>\n# Optional: append `--namespace=<namespace>` to the command to set a default namespace.<\/code><\/pre>\n
--embed-certs=true<\/code>. This saved the certs in base64 format in the kubernetes config.<\/p>\n