Create a User in Kubernetes
I recently tried to create an aditional user in my Kubernetes Cluster. Therefore I searched for hours to find nothing.
With this post I’d like to help you find the solution quicker .
First of, there are no “User” like in LDAP or Active Directory in Kubernetes (K8s). This is just another name for a Serviceaccount (SA). Those Serviceaccounts are bound to a particular Namespace (NS). Unfortunately both User and Serviceaccount are mixed pretty good by Kubernetes.
I’d like to start with an overview over the cluster. Then I will choose a clusterrole (edit) to permit my Serviceaccount to access specific clusterwide resources. Last but not least I will add my newly created User/Serviceaccount to my KUBECONFIG as another context.
Getting an Overview
Print the Clusterroles existing on the Kubernetes Cluster
$ kubectl get clusterrole -o name
clusterrole.rbac.authorization.k8s.io/admin
[...]
clusterrole.rbac.authorization.k8s.io/cluster-admin
[...]
clusterrole.rbac.authorization.k8s.io/edit
[...]
clusterrole.rbac.authorization.k8s.io/system:basic-user
[...]
clusterrole.rbac.authorization.k8s.io/view
For a more detailed view we can pick a clusterrole and describe it like so:
kubectl describe clusterrole.rbac.authorization.k8s.io/edit
# or in short
kubectl describe clusterrole edit
Show all roles are defined in the current Namespace (NS)
Returns empty in my case since I dont have any roles in this namespace yet.
$ kubectl get role -o name
Name: edit
Labels: kubernetes.io/bootstrapping=rbac-defaults
rbac.authorization.k8s.io/aggregate-to-admin=true
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
-----------------------------------------------------
configmaps [] [] [] [create delete deletecollection patch update get list watch]
[...]
Lets get started!
Create a Serviceaccount in the current Namespace
$ kubectl create serviceaccount sa-dev
Bind a Clusterrole to a Serviceaccount
NOTE: default
is the NS we’ve created the Serviceaccount in
$ kubectl create clusterrolebinding sa-dev-edit --clusterrole edit --serviceaccount=default:sa-dev
Extending the Context file using kubectl
We need to get the token first therefore we’ve to know hats the secret-name of it is.
$ kubectl describe sa sa-dev
Name: sa-dev
Namespace: default
[...]
Tokens: sa-dev-token-w285j
Events: <none>
Now as we know what the secret’s name is we can take a look into it
$ kubectl describe secret sa-dev-token-w285
Name: sa-dev-token-w285j
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: sa-dev
kubernetes.io/service-account.uid: uid-uid-uid-8b89-uidType: kubernetes.io/service-account-tokenData
====
ca.crt: 1017 bytes
namespace: 7 bytes
token: <a very long token>
Setting Kubernetes Cluster parameters
$ kubectl config set-cluster <MyClusterName> --server=https://<IPorDNS>:<access Port> --insecure-skip-tls-verify=<true/false>
Adding the token of the user to the context
$ kubectl config set-credentials sa-dev --token=<a very long token>
Creating the Serviceaccount as User in the context
$ kubectl config set-context sa-dev --cluster=<MyClusterName> --user=sa-dev
Switch the Context to your newly created user-context
This allows us to act like the user and use just his credentials
$ kubectl config use-context sa-dev
Now you can check if your permission set can accomplish whatever you wanted to do.
Sumup
- First of all we’ve created a Serviceaccount and a Clusterrolebinding.
- After that we added a Clusterrolebinding (edit) to the Serviceaccount.
- Then we got the access-token of the Serviceaccount and added it to our KUBECONFIG or context-file.
- At last we switched the user in our context files and connected to the Cluster using our new Service Account
$ kubectl create serviceaccount <SA-Username>$ kubectl create clusterrolebinding <ClusterroleName> \
--clusterrole edit --serviceaccount=default:<SA-Username>$ kubectl describe secret <SA-Username>-token-p7gpc$ kubectl config set-cluster <MyClusterName> \
--server=https://<MyClusterIPorDNSname>:<access Port> \
--insecure-skip-tls-verify=<true/false>$ kubectl config set-credentials <SA-Username> \
--token=<Token>$ kubectl config set-context <SA-Username> \
--cluster=<MyClusterName> \
--user=<SA-Username>$ kubectl config use-context <SA-Username>
Cheers!