How to Issue a Certificate for a User in Kubernetes

Introduction

In Kubernetes, issuing a certificate for a user is essential for authenticating and invoking APIs securely. This guide provides a comprehensive step-by-step process to generate and manage user certificates, ensuring proper access control within your Kubernetes cluster.

Create a Private Key

This command generate the anish.key and anish.csr file.

openssl genrsa -out anish.key 2048
openssl req -new -key anish.key -out anish.csr -subj "/CN=anish"

Create a CertificateSigningRequest

Create a CertificateSigningRequest and submit it to a Kubernetes Cluster via kubectl. Below is a script to generate the CertificateSigningRequest.

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: anish
spec:
  request: <base64-encoded-value>
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 86400  
  usages:
  - client auth

• request is the base64 encoded value of the CSR file content. You can get the content using this command:

cat anish.csr | base64 | tr -d "\n"

Put the output of this command in the request key.

Approve the CertificateSigningRequest

Use kubectl to create a CSR and approve it.

Get the list of CSRs:

kubectl get csr

Approve the CSR:

kubectl certificate approve anish

Get the Certificate

Retrieve the certificate from the CSR:

kubectl get csr/anish -o yaml

The certificate value is in Base64-encoded format under status.certificate. Export the issued certificate from the CertificateSigningRequest.

kubectl get csr anish -o jsonpath='{.status.certificate}'| base64 -d > anish.crt

Create Role and RoleBinding

With the certificate created, it is time to define the Role and RoleBinding for this user to access Kubernetes cluster resources.

Role

Create a Role for this new user:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: developer
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create", "get", "list", "update", "delete"]

RoleBinding

Create a RoleBinding for this new user:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: developer-binding-anish
  namespace: default
subjects:
- kind: User
  name: anish
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: developer
  apiGroup: rbac.authorization.k8s.io

Add to kubeconfig

The last step is to add this user into the kubeconfig file.

First, add new credentials:

kubectl config set-credentials anish --client-key=anish.key --client-certificate=anish.crt --embed-certs=true

Then, add the context:

kubectl config set-context anish --cluster=kubernetes --user=anish

To test it, change the context to anish:

kubectl config use-context anish

Test what sort of task that you can perform in the cluster as a new user.

• You can only perform create, get, list , update and delete operation on pod.

• When you try to run kubectl get deploy then you will get error.

  Error from server (Forbidden): deployments.apps is forbidden: User "anish" cannot list resource "deployments" in API group "apps" in the namespace "default"

• Because you don't have enough permission to perform other operation in the cluster.

This is how new user joining the cluster are managed and maintained in Production.

Conclusion

Issuing a certificate for a user in Kubernetes involves generating a private key, creating and approving a CertificateSigningRequest, and configuring roles and bindings to manage access. By following these steps, you ensure that users can securely authenticate and interact with the Kubernetes API. Properly managing user certificates is crucial for maintaining a secure and well-administered Kubernetes environment.