How to Create Users & Set Contexts in a K8s Cluster

Why Create Users in Kubernetes?
Creating users in Kubernetes helps you:
β Control Access β Decide who can do what (like view pods or deploy apps).
π Improve Security β Prevent unauthorized access to your cluster.
π‘οΈ Use RBAC β Assign roles to users with only the permissions they need.
π Audit Actions β Track changes and see who did what.
π§βπΌ Support Teams β Give different teams or users isolated and customized access.
π Integrate with Identity Providers β Connect with systems like LDAP, OIDC, etc.
In this blog, you'll learn the step-by-step workflow for adding a user, assigning roles, and configuring access & context using kubectl
.
1. Create a User Certificate Signing Request (CSR)
Kubernetes does not have a built-in user management system like usernames and passwords. Instead, it relies on client certificates for authentication.
Step 1: Generate a private key and CSR for your user (e.g., "aayush"):
/CN=aayush
sets the user's name as "aayush"./O=group1
sets an organization or group (for group RBAC mapping).
openssl genrsa -out aayush.key 2048
openssl req -new -key aayush.key -out aayush.csr -subj "/CN=aayush/O=group1"
2. Approve the Certificate Signing Request
Step 2: Convert the CSR to base64 and create a Kubernetes CSR resource:
cat aayush.csr | base64 | tr -d "\n"
Use this base64 string in a YAML manifest (csr.yaml):
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: aayush
spec:
request: BASE64_CSR
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
Step 3: Apply & Approve the manifest:
kubectl apply -f csr.yaml
kubectl certificate approve aayush
Step 4: Extract the issued certificate:
kubectl get csr aayush -o jsonpath='{.status.certificate}' | base64 --decode > aayush.crt
3. Create a Role & RoleBinding
Define what your user can do by creating a Role (namespace-scoped) or ClusterRole (cluster-wide) and a RoleBinding assigns the role to your user:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: aayush
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
Apply this manifest:
kubectl apply -f role.yaml
4. Set Credentials Kubeconfig
Add your user's key and certificate to a kubeconfig file:
kubectl config set-credentials aayush --client-certificate=aayush.crt --client-key=aayush.key
5. Create and Use a Context
Tie your user, namespace, and cluster together:
kubectl config set-context aayush-context --cluster=kubernetes --namespace=default --user=aayush
ps: You can use your actual clusters names
To view all clusters:
kubectl config get-clusters
To view all contexts:
kubectl config get-contexts
To use the context that we have just created
kubectl config use-context aayush-context
Now, when running kubectl commands, actions will be performed as the "aayush" user in the "default" namespaceβsubject to the permissions you assigned.
Subscribe to my newsletter
Read articles from Aayush Bisht directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Aayush Bisht
Aayush Bisht
I'm interested in Cloud and DevOps βοΈ AWS | π οΈ Ansible | π Terraform | π§ Jenkins | π Git/GitHub | βΈοΈ Kubernetes | π³ Docker | π Shell Script