Menu Close

CKA Exam Task: Create a Kubernetes User with RBAC

Creating a Kubernetes user with RBAC autorization is one of the tasks in the question catalog for the Certified Kubernetes Administrator certification (CKA). This post shows how to perform this task.

Why you should create users and configure RBAC

Configuring authorization is important because otherwise everybody using the Kubernetes cluster would have administrative access to it. This can be a major security risk. Just a few examples:

  • You don’t all users to be allowed to create new users or modify configuration that brings down your cluster
  • Cluster Administrator Right vs. Rights for Engineers using the Cluster to deploy their apps
  • Dedicated Roles for namespaces, so that different teams can use the same Cluster without conflict

Example Exam Task

Create a new user “moon” in your Kubernetes cluster. The user should use certificate credentials to authenticate to the cluster. Configure a Role called “moon” that allows all operations on all resources in the namespace “userns-moon”. Assign the Role to the user.


  • A Kubernetes cluster (I’m using minikube for this example)
  • Kubectl installed and configured to access the cluster with administrator rights
  • openssl CLI installed
  • Run the following to prepare your namespaces for this exercise:
kubectl create ns userns-moon
kubectl create ns userns-sun

Generating and signing the user certificate

First, we have to create the user credentials used for authentication. To do that we use the openssl command:

# this generates a private key for the new user we want to create
openssl genrsa -out moon.key 2048

# with the key we can generate a certificate signing requests
openssl req -new -key moon.key -out moon.csr --subj "/CN=moon"

Now we need to send the .csr file to Kubernetes so that it can create a certificate for us. We can do that by creating a CertificateSigningRequest Kubernetes resource:

# The certificate expects the spec.requests field to be set with the content
# of moon.csr encoded using base64. Use following command to do that
request=$(cat moon.csr | base64 -w0)

# After that create the CSR resource
cat <<EOF | kubectl apply -f -
kind: CertificateSigningRequest
  name: moon
  request: $request
  expirationSeconds: 86400  # one day
  - client auth

After you create the CSR, verify it was created.

kubectl get csr moon
# Output:
moon   81s   minikube-user   24h                 Pending

You created the certificate signing request, but the Condition is Pending. You have to approve the requests before Kubernetes generates the certificate. Here’s the command:

kubectl certificate approve moon
# Output: approved

The Kubernetes signed the certificate. Now copy it to your local system:

kubectl get csr myuser -o jsonpath='{.status.certificate}'| base64 -d > moon.crt

After this step, you got all credentials you need to authenticate the new user “moon”.

Create the RBAC configuration

RBAC configuration in Kubernetes consists of 4 different types:

  • ClusterRole
  • ClusterRoleBinding
  • Role
  • RoleBinding

[Cluster]Roles define the allowed access to resources. [Cluster]RoleBindings defines who is assigned to that Role. This can be users, ServiceAccounts, or groups.

In general ClusterRole and ClusterRoleBinding assign cluster-scoped rights. Role and RoleBinding assign namespace-scoped rights. The task requires us to create a role scoped on a specific namespace, so using Role and RoleBinding is the right choice for us.

For more information on this topic see the official docs section on Role and ClusterRole.

Creating the Kubernetes Role

So we need to create a Role called “moon” that is authorized to perform all actions within a namespace. Use the following command to do that:

kubectl create role moon -n userns-moon --verb "*" --resource "*"

Next, we need to bind the Role “moon” to the user “moon”:

kubectl create rolebinding moon-binding -n userns-moon --user moon --role moon

With this, we’ve successfully authorized our user “moon” to perform all actions in the namespace “userns-moon”.

Verify user credentials and RBAC configuration

To verify if the credentials for user “moon” are valid, we can configure our kubectl to use the generated credentials instead of our default credentials:

kubectl config set-credentials moon --client-key=moon.key --client-certificate=moon.crt --embed-certs=true
kubectl config set-context moon --cluster=minikube --user=moon
kubectl config use-context moon

Afterward, we can run some kubectl commands to verify our access rights:

kubectl auth can-i "*" "*" -n userns-moon # yes
kubectl auth can-i "*" "*" -n userns-sun # no
kubectl auth can-i "*" "*" --all-namespaces # no


By performing this example CKA exam task, we learned how to create user certificates to authenticate users to the API server. We also created a Role, which defines access rights to the API. By binding the Role to the user using a RoleBinding we authorized the new user to call the API server.

You can reuse the learnings from this post for other exam tasks. A good example is creating ServiceAccounts to authorize Pods to access the Kubernetes API server. You can learn more about that in the upcoming posts about the CKA exam.

Don’t want to miss the next CKA exam post? Follow me on LinkedIn.

To support my efforts use my affiliate link to buy your courses and exams from the Linux Foundation.

Previous post in the CKA series: CKS Exam Task โ€“ Enable Kubernetes Audit Logs

Next post in the CKA series: CKA Exam Task: Create a Persistent Volume