I am looking for process to create a user and assign him certain permissions. Please let me know how to do it ?
You can create users in two ways. By creating human user or service account. For human user you need to create certificate and for service account you just need to run once command.
Please find the docs below for creating users and giving permissions:
https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html
1 Like
Kubernetes itself doesn’t really have users. Those are generally done by an external provider via OIDC. It DOES have ServiceAccounts that you can sort of use like users, but they’re meant for applications within the cluster to authenticate to the API server.
After going through all the above mentioned block, I found below solution
- Create user CSR
openssl genrsa -out user1.key 2048
openssl req -new -key user1.key -out user1.csr
- Approve CSR
openssl x509 -req -in user1.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out user1.crt -days 500
- Create Role or ClusterRole
cat role.yml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: test-namespace
name: user1-role
rules:
- apiGroups: ["", “extensions”, “apps”]
resources: [“deployments”, “pods”, “services”]
verbs: [“get”, “list”, “watch”, “create”, “update”, “patch”, “delete”]
- Create RoleBindings
cat binding.yml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: user1-rolebinding
namespace: test-namespace
subjects:
- kind: User
name: user1
apiGroup: “”
roleRef:
kind: Role
name: user1-role
apiGroup: “”
- Use it
kubectl config set-credentials user1 --client-certificate=/root/user1.crt --client-key=user1.key
kubectl config set-context user1-context --cluster=kubernetes --namespace=test-namespace --user=user1
3 Likes
I think it would be nice to point to the document for reference in the future
2 Likes