How to create user to autheticate with microk8s outside of cluster?

Using microk8s on Ubuntu 20.04

Among the data returned by microk8s config there is

- name: admin
  user:
    username: admin
    password: S05BcnhqaWpCNzlRaWtDZEIzNHEzVU5qKzZCaERUbWxjQ2d6VTFmcjkrQT0K

I suppose the admin user has been created (silently) by microk8s installer.

Q1. Is that admin user manageable? For example, is there a way to change the pwd?

Q2. Can you give an example where we would need to refer to that admin user? I don’t know if I am doing the right thing. Currently to use kubectl outside of the cluster (on a machine in the same subnet), I added that user by kubectl config set-credentials

Q3. Like Q2, using kubectl from outside the cluster, instead of using the admin user. I’d like to use another user. That new user can create/delete resources but not admin tasks on the microk8s cluster. How should I create that user?

The admin user is created during installation. That user is authenticated through a token as described in [1]. To change the token you will need to edit the /var/snap/microk8s/current/credentials/known_tokens.csv file.

That is fine. Another popular approach is to have multiple kubeconfig files (even merged) and select the one you want as described in [2]

You would first need to create a new user. There are a few authentication mechanisms described in [1]. MicroK8s comes with the static-tokens-file and X509 Client Certs enabled by default. The easiest is to edit the known_tokens.csv to add a new user. You should appoint that user to some groups (also in the known_tokens.csv file). Afterwards you will need to enable RBAC [3] to restrict the permissions of that user. Enabling RBAC is done with microk8s enable rbac.

[1] Authenticating - Kubernetes
[2] Organizing Cluster Access Using kubeconfig Files - Kubernetes
[3] Using RBAC Authorization - Kubernetes

1 Like