Store the cluster CA materials in a working directory:
mkdir -p /root/pki/
cp /opt/kubernetes/ssl/ca-key.pem /root/pki/
cp /opt/kubernetes/ssl/ca.pem /root/pki/
cp /root/k8s/cert/k8s/ca-config.json /root/pki/
The ca-config.json profile defines permitted key usages and an expiration window:
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
Install the CFSSL binaries if they are not already present:
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl*
for bin in cfssl*; do
mv "$bin" "${bin%_linux-amd64}"
done
mv cfssl* /usr/bin
Create a certificate signing request JSON describing the user identity. For example, to create a user named appuser:
{
"CN": "appuser",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
Write this into appuser-csr.json.
Generate the signed certificate using the Kubernetes CA and the corresponding profile:
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes appuser-csr.json | cfssljson -bare appuser
- Cluster definition – embed the CA and point to the API server:
kubectl config set-cluster mycluster \
--server=https://192.168.124.61:6443 \
--certificate-authority=ca.pem \
--embed-certs=true \
--kubeconfig=/root/appuser.conf
- Context – link the cluster to the user:
kubectl config set-context appuser@mycluster \
--cluster=mycluster \
--user=appuser \
--kubeconfig=/root/appuser.conf
- User credentials – attach the signed client certificate and key:
kubectl config set-credentials appuser \
--client-certificate=appuser.pem \
--client-key=appuser-key.pem \
--embed-certs=true \
--kubeconfig=/root/appuser.conf
olen thene new context active:
kubectl config use-context appuser@mycluster --kubeconfig=/root/appuser.conf
prepare the local system so that the user can leverage this configuration:
useradd appuser
mkdir -p /home/appuser/.kube
cp /root/appuser.conf /home/appuser/.kube/config
chown appuser:appuser -R /home/appuser/
su - appuser
alen permissions via RBAC. Define a Role that allows listing pods:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
Bind that role to the user:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: appuser-pod-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pod-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: appuser