Creating a Kubernetes user with RBAC autorization is one of the tasks in the question catalog for the Certified Kubernetes Administrator certification (CKA). This post shows how to perform this task.
Why you should create users and configure RBAC
Configuring authorization is important because otherwise everybody using the Kubernetes cluster would have administrative access to it. This can be a major security risk. Just a few examples:
- You don’t all users to be allowed to create new users or modify configuration that brings down your cluster
- Cluster Administrator Right vs. Rights for Engineers using the Cluster to deploy their apps
- Dedicated Roles for namespaces, so that different teams can use the same Cluster without conflict
Example Exam Task
Create a new user “moon” in your Kubernetes cluster. The user should use certificate credentials to authenticate to the cluster. Configure a Role called “moon” that allows all operations on all resources in the namespace “userns-moon”. Assign the Role to the user.
Prerequisites
- A Kubernetes cluster (I’m using minikube for this example)
- Kubectl installed and configured to access the cluster with administrator rights
- openssl CLI installed
- Run the following to prepare your namespaces for this exercise:
kubectl create ns userns-moon kubectl create ns userns-sun
Generating and signing the user certificate
First, we have to create the user credentials used for authentication. To do that we use the openssl command:
# this generates a private key for the new user we want to create openssl genrsa -out moon.key 2048 # with the key we can generate a certificate signing requests openssl req -new -key moon.key -out moon.csr --subj "/CN=moon"
Now we need to send the .csr file to Kubernetes so that it can create a certificate for us. We can do that by creating a CertificateSigningRequest Kubernetes resource:
# The certificate expects the spec.requests field to be set with the content # of moon.csr encoded using base64. Use following command to do that request=$(cat moon.csr | base64 -w0) # After that create the CSR resource cat <<EOF | kubectl apply -f - apiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: name: moon spec: request: $request signerName: kubernetes.io/kube-apiserver-client expirationSeconds: 86400 # one day usages: - client auth EOF
After you create the CSR, verify it was created.
kubectl get csr moon # Output: NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION moon 81s kubernetes.io/kube-apiserver-client minikube-user 24h Pending
You created the certificate signing request, but the Condition is Pending. You have to approve the requests before Kubernetes generates the certificate. Here’s the command:
kubectl certificate approve moon # Output: certificatesigningrequest.certificates.k8s.io/moon approved
The Kubernetes signed the certificate. Now copy it to your local system:
kubectl get csr myuser -o jsonpath='{.status.certificate}'| base64 -d > moon.crt
After this step, you got all credentials you need to authenticate the new user “moon”.
Create the RBAC configuration
RBAC configuration in Kubernetes consists of 4 different types:
- ClusterRole
- ClusterRoleBinding
- Role
- RoleBinding
[Cluster]Roles define the allowed access to resources. [Cluster]RoleBindings defines who is assigned to that Role. This can be users, ServiceAccounts, or groups.
In general ClusterRole and ClusterRoleBinding assign cluster-scoped rights. Role and RoleBinding assign namespace-scoped rights. The task requires us to create a role scoped on a specific namespace, so using Role and RoleBinding is the right choice for us.
For more information on this topic see the official docs section on Role and ClusterRole.
Creating the Kubernetes Role
So we need to create a Role called “moon” that is authorized to perform all actions within a namespace. Use the following command to do that:
kubectl create role moon -n userns-moon --verb "*" --resource "*"
Next, we need to bind the Role “moon” to the user “moon”:
kubectl create rolebinding moon-binding -n userns-moon --user moon --role moon
With this, we’ve successfully authorized our user “moon” to perform all actions in the namespace “userns-moon”.
Verify user credentials and RBAC configuration
To verify if the credentials for user “moon” are valid, we can configure our kubectl to use the generated credentials instead of our default credentials:
kubectl config set-credentials moon --client-key=moon.key --client-certificate=moon.crt --embed-certs=true kubectl config set-context moon --cluster=minikube --user=moon kubectl config use-context moon
Afterward, we can run some kubectl commands to verify our access rights:
kubectl auth can-i "*" "*" -n userns-moon # yes kubectl auth can-i "*" "*" -n userns-sun # no kubectl auth can-i "*" "*" --all-namespaces # no
Conclusion
By performing this example CKA exam task, we learned how to create user certificates to authenticate users to the API server. We also created a Role, which defines access rights to the API. By binding the Role to the user using a RoleBinding we authorized the new user to call the API server.
You can reuse the learnings from this post for other exam tasks. A good example is creating ServiceAccounts to authorize Pods to access the Kubernetes API server. You can learn more about that in the upcoming posts about the CKA exam.
Don’t want to miss the next CKA exam post? Follow me on LinkedIn.
To support my efforts use my affiliate link to buy your courses and exams from the Linux Foundation.
Previous post in the CKA series: CKS Exam Task โ Enable Kubernetes Audit Logs
Next post in the CKA series: CKA Exam Task: Create a Persistent Volume