{"id":540,"date":"2017-12-01T07:00:36","date_gmt":"2017-12-01T15:00:36","guid":{"rendered":"http:\/\/andrewwippler.com\/?p=540"},"modified":"2017-11-30T13:31:13","modified_gmt":"2017-11-30T21:31:13","slug":"adding-a-user-to-k8s-rbac","status":"publish","type":"post","link":"https:\/\/andrewwippler.com\/2017\/12\/01\/adding-a-user-to-k8s-rbac\/","title":{"rendered":"Adding a user to k8s RBAC"},"content":{"rendered":"<p>In order to add a user to a kubernetes cluster, we will need several things: kubectl,\u00a0CA.crt and CA.key (found in your head node&#8217;s <code>\/etc\/kubernetes\/pki<\/code> folder), and openssl.<\/p>\n<p>First, create a private key for the new user. In this example, we will name the file employee.key:<\/p>\n<pre><code>openssl genrsa -out employee.key 2048<\/code><\/pre>\n<p>Next, we will need to create a certificate sign request &#8211; employee.csr &#8211; using the private key we just created (employee.key in this example). Make sure to specify your username and group in the <code>-subj<\/code> section (CN is for the username and O for the group).<\/p>\n<pre><code>openssl req -new -key employee.key -out employee.csr -subj \"\/CN=username\/O=developer\"<\/code><\/pre>\n<p>Generate the final certificate employee.crt by approving the certificate sign request, employee.csr, you made earlier. In this example, the certificate will be valid for 90 days.<\/p>\n<pre><code>openssl x509 -req -in employee.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out employee.crt -days 90<\/code><\/pre>\n<p>Give <strong>employee.crt<\/strong>,<strong> employee.key<\/strong>, and <strong>CA.crt<\/strong> to the new employee and have the employee follow the below steps.<\/p>\n<pre><code># Set up the cluster\n$ kubectl config set-cluster k8s.domain.tld --server https:\/\/api.k8s.domain.tld --certificate-authority \/path\/to\/CA.crt --embed-certs=true\n\n# Set up the credentials (a.k.a login information)\n$ kubectl config set-credentials &lt;name&gt; --client-certificate=\/path\/to\/cert.crt --client-key=\/path\/to\/cert.key --embed-certs=true\n\n# bind login to server\n$ kubectl config set-context k8s.domain.tld --cluster= k8s.domain.tld --user=&lt;name&gt;\n# Optional: append `--namespace=&lt;namespace&gt;` to the command to set a default namespace.<\/code><\/pre>\n<p><em>Note<\/em>: You may move the certificates to a safe location since the commands included <code>--embed-certs=true<\/code>. This saved the certs in base64 format in the kubernetes config.<\/p>\n<p>Sometimes I post to my blog so I remember how to do a particular thing. This is one of those times.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In order to add a user to a kubernetes cluster, we will need several things: kubectl,\u00a0CA.crt and CA.key (found in your head node&#8217;s \/etc\/kubernetes\/pki folder), and openssl. First, create a private key for the new user. In this example, we will name the file employee.key: openssl genrsa -out employee.key 2048 Next, we will need to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[6],"tags":[75,83,52],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts\/540"}],"collection":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/comments?post=540"}],"version-history":[{"count":3,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts\/540\/revisions"}],"predecessor-version":[{"id":543,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts\/540\/revisions\/543"}],"wp:attachment":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/media?parent=540"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/categories?post=540"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/tags?post=540"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}