How to Create Users & Set Contexts in a K8s Cluster

Why Create Users in Kubernetes?

Creating users in Kubernetes helps you:

1. ✅ Control Access – Decide who can do what (like view pods or deploy apps).

2. 🔒 Improve Security – Prevent unauthorized access to your cluster.

3. 🛡️ Use RBAC – Assign roles to users with only the permissions they need.

4. 📊 Audit Actions – Track changes and see who did what.

5. 🧑‍💼 Support Teams – Give different teams or users isolated and customized access.

6. 🌐 Integrate with Identity Providers – Connect with systems like LDAP, OIDC, etc.

In this blog, you'll learn the step-by-step workflow for adding a user, assigning roles, and configuring access & context using kubectl.

1. Create a User Certificate Signing Request (CSR)

Kubernetes does not have a built-in user management system like usernames and passwords. Instead, it relies on client certificates for authentication.

Step 1: Generate a private key and CSR for your user (e.g., "aayush"):

• /CN=aayush sets the user's name as "aayush".

• /O=group1 sets an organization or group (for group RBAC mapping).

openssl genrsa -out aayush.key 2048
openssl req -new -key aayush.key -out aayush.csr -subj "/CN=aayush/O=group1"

2. Approve the Certificate Signing Request

Step 2: Convert the CSR to base64 and create a Kubernetes CSR resource:

cat aayush.csr | base64 | tr -d "\n"

Use this base64 string in a YAML manifest (csr.yaml):

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: aayush
spec:
  request: BASE64_CSR
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth

Step 3: Apply & Approve the manifest:

kubectl apply -f csr.yaml
kubectl certificate approve aayush

Step 4: Extract the issued certificate:

kubectl get csr aayush -o jsonpath='{.status.certificate}' | base64 --decode > aayush.crt

3. Create a Role & RoleBinding

Define what your user can do by creating a Role (namespace-scoped) or ClusterRole (cluster-wide) and a RoleBinding assigns the role to your user:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: aayush
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Apply this manifest:

kubectl apply -f role.yaml

4. Set Credentials Kubeconfig

Add your user's key and certificate to a kubeconfig file:

kubectl config set-credentials aayush --client-certificate=aayush.crt --client-key=aayush.key

5. Create and Use a Context

Tie your user, namespace, and cluster together:

kubectl config set-context aayush-context --cluster=kubernetes --namespace=default --user=aayush

ps: You can use your actual clusters names

To view all clusters:

kubectl config get-clusters

To view all contexts:

kubectl config get-contexts

To use the context that we have just created

kubectl config use-context aayush-context

Now, when running kubectl commands, actions will be performed as the "aayush" user in the "default" namespace—subject to the permissions you assigned.