Kubernetes generate user account and config

19 Apr 2021 / Mihai Nueleanu


How do you generate a kubernetes user account? How do you get access to your kubernetes cluster? How can you generate a kubernetes config file?

Intuitively, this should be pretty simple. However, in practice, the process is quite a bit convoluted.

However, I have automated it for myself. Below is the script, responsible for issuing cluster access, together with a kube config file, from start to finish.


How to use it:

The Script

# This script is responsible for issuing a cluster access 
# config file, which can afterwards be used by users or
# service integrations (such as github actions)

# Generate a key and a certificate signing request
# Hint: The CN field is important
openssl genrsa -out myuser.key 2048
openssl req -new -key myuser.key \
-subj "/C=DK/ST=DK/O=''/CN=myuser" \
-out myuser.csr

# Extract the certificate signing request
REQ=$(cat myuser.csr | base64 | tr -d "\n")

# Create a Kubernetes CSR object
# and approve it
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
name: myuser
- system:authenticated
request: $REQ
signerName: kubernetes.io/kube-apiserver-client
- client auth

kubectl get csr
kubectl certificate approve myuser

# Extract the kubernetes-approved signed certificate
kubectl get csr myuser -o jsonpath='{.status.certificate}'| base64 -d > myuser.crt

# Create the user role role (with the appropriate access levels)
# and bind the user to the role
kubectl create role myuser --verb="*" --namespace pr-env \
--resource=pod \
--resource=service \
--resource=configmap \
--resource=secret \
--resource=ingress \
--resource=daemonset \
--resource=replicaset \
--resource=deployment \
kubectl create rolebinding myuser-binding --role=myuser --user=myuser

# Cleanup the Kubernetes CSR
kubectl delete csr myuser

# Extract config locally, into your config file
# Location: ~/.kube/config
kubectl config set-credentials myuser --client-key=myuser.key --client-certificate=myuser.crt --embed-certs=true
kubectl config set-context myuser --cluster=kubernetes --user=myuser
kubectl config use-context myuser

The test

As soon as you have generate the new context, and it has been activated locally, run a test command, such as:

kubectl get nodes
kubectl get pods
kubectl get services

Note: the script is written in a very bare-bones and simple way, so that it's easy to understand and modify for you own purposes.

Read more

#user account
Clap Claps



I'm Mihai, the founder of dotmethod - a software development company based in 🇩🇰 Copenhagen.

GitHub Resume Contact Uses