How to Create Users & Set Contexts in a K8s Cluster

Aayush BishtAayush Bisht
3 min read

Why Create Users in Kubernetes?

Creating users in Kubernetes helps you:

  1. βœ… Control Access – Decide who can do what (like view pods or deploy apps).

  2. πŸ”’ Improve Security – Prevent unauthorized access to your cluster.

  3. πŸ›‘οΈ Use RBAC – Assign roles to users with only the permissions they need.

  4. πŸ“Š Audit Actions – Track changes and see who did what.

  5. πŸ§‘β€πŸ’Ό Support Teams – Give different teams or users isolated and customized access.

  6. 🌐 Integrate with Identity Providers – Connect with systems like LDAP, OIDC, etc.

In this blog, you'll learn the step-by-step workflow for adding a user, assigning roles, and configuring access & context using kubectl.

1. Create a User Certificate Signing Request (CSR)

Kubernetes does not have a built-in user management system like usernames and passwords. Instead, it relies on client certificates for authentication.

Step 1: Generate a private key and CSR for your user (e.g., "aayush"):

  • /CN=aayush sets the user's name as "aayush".

  • /O=group1 sets an organization or group (for group RBAC mapping).

openssl genrsa -out aayush.key 2048
openssl req -new -key aayush.key -out aayush.csr -subj "/CN=aayush/O=group1"

2. Approve the Certificate Signing Request

Step 2: Convert the CSR to base64 and create a Kubernetes CSR resource:

cat aayush.csr | base64 | tr -d "\n"

Use this base64 string in a YAML manifest (csr.yaml):

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: aayush
spec:
  request: BASE64_CSR
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth

Step 3: Apply & Approve the manifest:

kubectl apply -f csr.yaml
kubectl certificate approve aayush

Step 4: Extract the issued certificate:

kubectl get csr aayush -o jsonpath='{.status.certificate}' | base64 --decode > aayush.crt

3. Create a Role & RoleBinding

Define what your user can do by creating a Role (namespace-scoped) or ClusterRole (cluster-wide) and a RoleBinding assigns the role to your user:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: aayush
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Apply this manifest:

kubectl apply -f role.yaml

4. Set Credentials Kubeconfig

Add your user's key and certificate to a kubeconfig file:

kubectl config set-credentials aayush --client-certificate=aayush.crt --client-key=aayush.key

5. Create and Use a Context

Tie your user, namespace, and cluster together:

kubectl config set-context aayush-context --cluster=kubernetes --namespace=default --user=aayush

ps: You can use your actual clusters names

To view all clusters:

kubectl config get-clusters

To view all contexts:

kubectl config get-contexts

To use the context that we have just created

kubectl config use-context aayush-context

Now, when running kubectl commands, actions will be performed as the "aayush" user in the "default" namespaceβ€”subject to the permissions you assigned.

5
Subscribe to my newsletter

Read articles from Aayush Bisht directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Aayush Bisht
Aayush Bisht

I'm interested in Cloud and DevOps ☁️ AWS | πŸ› οΈ Ansible | 🌐 Terraform | πŸ”§ Jenkins | πŸ”„ Git/GitHub | ☸️ Kubernetes | 🐳 Docker | πŸ“œ Shell Script