Kubernetes: Kubeconfig and User Setup

RiteshRitesh
4 min read

Let’s first understand what a kubeconfig file is.
Kubeconfig

A file used to configure access to a cluster is called a kubeconfig file. This is the generic way of referring to a configuration file. This doesn’t mean the file name is kubeconfig.

K8s components like kubectl, kubelet, or kube-controller-manager use the kubeconfig file to interact with the K8s API.

Instead of using the full kubeconfig name, the file is just named config. The default location of the kubeconfig file is ~/.kube/config. There are other ways to specify the kubeconfig location, such as the KUBECONFIG environment variable or the kubectl —kubeconfig parameter.

The kubeconfig file a YAML file contains groups of clusters, users, and contexts.

  • A cluster is a K8s cluster.

  • A user is a credential used to interact with the K8s API.

  • A context is a combination of cluster and user.

    Below is the basic template of a kubeconfig file for a kind cluster.

Here are some additional details:

The clusters section lists all clusters that you already connected.

  • certificate-authority contains a certificate for the certificate authority (CA) that signed all internal Kubernetes certificates. This can be a file path or a Base64 string of the certificate's Privacy Enhanced Mail (PEM) format.

  • server is the address of the server.

The users section lists all users already used to connect to a cluster. There are some possible keys for the user:

  • client-certificate/client-certificate-data contains a certificate for the user signed by the Kubernetes CA. This can be a file path or a Base64 string in the certificate PEM format.

  • client-key/client-key-data contains the key that signed the client certificate. This can be a file path or a Base64 string in the key PEM format.

  • token contains a token for this user when there is no certificate.

The context section links a user and a cluster and can set a default namespace. The context name is arbitrary, but the user and cluster must be predefined in the kubeconfig file. If the namespace doesn't exist, commands will fail with an error.

User setup:

Now let’s see how to set up the user with specific permission.

To create the user we have to generate the certificate, private key, and CSR (certificate signing request) for authentication and authorization.

  • Generate the key
    openssl genrsa -out dixit.key 2048

  • Generate a Certificate Signing Request (CSR) using OpenSSL.
    openssl req -new -key dixit.key -out dixit.csr -subj "/CN=dixit/O=group1"

    This command generates a new CSR (dixit.csr) using the private key (dixit.key) and includes the subject information with the common name "dixit" and organization "group1”.

  • Now let’s encode the content of dixit.csr file in base64 format and remove the new line.

    cat dixit.csr | base64 | tr -d '\n'

  • Now let’s create a YAML file that can be used to create a CertificateSigningRequest resource in Kubernetes, which can be approved by a cluster administrator to generate a client certificate for the user "dixit".

    create a dixit-csr.yaml file to create CertificateSigningRequest

    kubectl apply -f dixit-csr.yaml

  • Now run the below command to approve the CSR, allowing the user to obtain a signed certificate for secure communication and authentication with the Kubernetes API server.

    kubectl certificate approve dixit

  • Run the below command to retrieve the signed certificate for the CSR named dixit. So that the certificate can then be used for authentication purposes within the Kubernetes cluster

    kubectl get csr dixit -o jsonpath='{.status.certificate}' | base64 --decode > dixit.crt

  • Create a YAML file to create a read Role.

    read-role.yaml file

    kubectl apply -f read-role.yaml

  • Now let’s create a YAML file to create RoleBinding, which will bind the read-only-role to the user dixit

    read-role-binding.yaml

    kubectl apply -f read-role-binding.yaml

  • Setup kubeconfig

    You can set it up using the below commands or you can update the details in kubeconfig manually.

    • First, set the user credential in kubeconfig using the below command:

kubectl config set-credentials dixit --client-certificate=/root/dixit_user/dixit.crt --client-key=/root/dixit_user/dixit.key

kubectl config set-credentials <username> --client-certificate=<path/to/.crt file> --client-key=<path/to/.key file

  • Now let’s set up a context in kubeconfig for new user.

    kubectl config set-context dixit@read --cluster=kind-multi-node-cluster --user=dixit

    kubectl config set-context <new context-name> --cluster=<cluster on which you want access> --namespace=<namespace name if you have> --user=<user name>

    This command will set a context in the kubeconfig file as shown below.

  • To verify the context run the below command.

    kubectl config get-contexts

    you will get the output similar to the below image:

  • Now to use the context run the below command.
    kubectl config use-context <context-name>

  • Now if you try to get any details about pods you can get but you will not be able to create or update anything as shown in the below image.

    Conclusion

    Following these steps, you can securely establish user authentication and authorization in Kubernetes, ensuring controlled access to your cluster resources.

    Keep learning and exploring! 🚀📘

0
Subscribe to my newsletter

Read articles from Ritesh directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Kuberneteskubesimplify

Written by

Ritesh
Ritesh