Create User
Create Certificate
Get Certificate Key
openssl genrsa -out <USER>.key 2048Create CertificateSingningRequset file
openssl req -new -key <USER>.key -subj "/CN=<USER>" -out <USER>.csrbase64 <USER>.csr -w 0Create CSR Kubernetes Resource
<USER>-csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: <USER>
spec:
request: <BASE64 .csr file>
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
Apply CertificateSingningRequset
kubectl apply -f <USER>-csr.yamlApprove CertificateSingningRequset
kubectl certificate approve <USER>Get info of your CSR
kubectl get csrGet Sertificate
kubectl get csr <USER> -o yaml | grep certificate: | cut -c 16- | base64 --decode > <USER>.crtCreate kubeconfig file
Get certificate-authority-data (CAD)
kubectl config view --flatten=true | grep "certificate-authority-data:" | cut -c 33-Get CLUSTER URL
kubectl cluster-info | grep "Kube" | cut -c 51-Get client-certificate-data
base64 <USER>.crt -w 0Get client-key-data
base64 <USER>.key -w 0
Connect to cluster
<USER>.yaml
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: <CAD>
server: <CLUSTER URL>
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: <USER>
name: <USER>@kubernetes
current-context: <USER>@kubernetes
kind: Config
preferences: {}
users:
- name: <USER>
user:
client-certificate-data: <BASE64 .CRT FILE>
client-key-data: <BASE64 .KEY FILE>kubectl --kubeconfig <USER>.yaml get podsIf you get
Error from server (Forbidden): pods is forbidden: User "<USER>" cannot list resource "pods" in API group "" in the namespace "default"User is created