Authentication & User Management in K8S

Piyush KabraPiyush Kabra
2 min read
kubectl config view
# default --

Context contains:-

  • IP: Port

  • Username

  • Password

There are two types of Authentications:-

  • Use Password-Based

  • Key Based

User —> Certificate ( CRT ) —> client.crt & ca.crt

Password —> Key ( Private ) —> client.key

We Need 4 Things in Config File:-

  1. Server

  2. Client Key

  3. Client Certificate

  4. Certificate Authority

current-context: “myc1”

kubectl get pods --kubeconfig mykube.config ( to see config file )

This is the Config file.

mykube.config:-

- name: piyush
  users:
    client-key
    client-certificate

clusters:
  - cluster:
          server: https://192.168.34.53:8443 
          certificate-authority: 
    name: myc1
contexts:
    - context:
            cluster: mycluster1
            user: piyush 
      name: myc1

mkdir .kube in /root

cp mykube.config /root/.kube/config ( in linux )

Context has two things :-

URL ( Cluster, IP: Port )

User / Password ( Certificate & Pvt Key )

Now Lets Create Keys :-

minikube ssh
sudo -i 
cd /var/lib/minikube/certs

openssl genrsa -out piyush.key 1024

openssl req -new -key piyush.key -out piyush.csr

openssl x509 -req -in piyush.csr -CA ca.crt -CAkey ca.key -out piyush.crt 

ls -> piyush.key , piyush.csr , piyush.crt

Now

confirm your location by pwd, it should be "/var/lib/minikube/certs" in minikube ssh
mtlb minikube node me hona h or vhi se krna sab

Then

cp piyush.*  /home/docker
cp ca.crt    /home/docker

go to :- cd /home/docker
chmod o+r piyush.key ( kyuki, piyush.key ke paas read by other ki permission nhi 
h isliye usko transfer nhi kr payenge windows me )

Now

copy piyush.* in windows at the location :- 
/c/Users/Piyush Kabra/.minikube/profiles/minikube/

then,

kubectl set-credentials piyush --client-key=piyush.key --client-certificate=piyush.crt
( make sure you are in the same location to access the files directly from here )

then

kubectl config set-context mycontext --user=piyush --cluster=minikube

kubectl config current-context --> dekho konsa h abhi

kubectl config use-context default

kubectl create ns testing

kubectl get pods -n testing --> in default context

now

kubectl config use-context mycontext 

kubectl get pods -n testing

Now Create myrole.yml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: mymonitor-role
  namespace: testing

rules:
  - resources: [ "pods" ]
    verbs: [ "list" ]
    apiGroups: [ "" ]

then, create myrolebinding.yml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: piyush-user-monitoring-binding
  namespace: testing

subjects:
  - kind: User
    name: piyush
    apiGroup: rbac.authorization.k8s.io

roleRef:
    kind: Role
    name: mymonitor-role
    apiGroup: rbac.authorization.k8s.io

now

go in minikube context and run 
kubectl apply -f myrole.yml
kubectl apply -f myrolebinding.yml

then,

go in mycontext and run 

kubectl get pods -n testing --> chalega

kubectl get deploy -n testing --> forbidden
0
Subscribe to my newsletter

Read articles from Piyush Kabra directly inside your inbox. Subscribe to the newsletter, and don't miss out.

KubernetesSecurityauthenticationrole-based-access-controlkubernetes rolebindingsAPIs

Written by

Piyush Kabra
Piyush Kabra