Create a User in Kubernetes

D. Heinrich
3 min readOct 16, 2020

--

I recently tried to create an aditional user in my Kubernetes Cluster. Therefore I searched for hours to find nothing.

With this post I’d like to help you find the solution quicker .

First of, there are no “User” like in LDAP or Active Directory in Kubernetes (K8s). This is just another name for a Serviceaccount (SA). Those Serviceaccounts are bound to a particular Namespace (NS). Unfortunately both User and Serviceaccount are mixed pretty good by Kubernetes.

I’d like to start with an overview over the cluster. Then I will choose a clusterrole (edit) to permit my Serviceaccount to access specific clusterwide resources. Last but not least I will add my newly created User/Serviceaccount to my KUBECONFIG as another context.

Getting an Overview

Print the Clusterroles existing on the Kubernetes Cluster

$ kubectl get clusterrole -o name
clusterrole.rbac.authorization.k8s.io/admin
[...]
clusterrole.rbac.authorization.k8s.io/cluster-admin
[...]
clusterrole.rbac.authorization.k8s.io/edit
[...]
clusterrole.rbac.authorization.k8s.io/system:basic-user
[...]
clusterrole.rbac.authorization.k8s.io/view

For a more detailed view we can pick a clusterrole and describe it like so:

kubectl describe clusterrole.rbac.authorization.k8s.io/edit
# or in short
kubectl describe clusterrole edit

Show all roles are defined in the current Namespace (NS)

Returns empty in my case since I dont have any roles in this namespace yet.

$ kubectl get role -o name
Name: edit
Labels: kubernetes.io/bootstrapping=rbac-defaults
rbac.authorization.k8s.io/aggregate-to-admin=true
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
-----------------------------------------------------
configmaps [] [] [] [create delete deletecollection patch update get list watch]
[...]

Lets get started!

Create a Serviceaccount in the current Namespace

$ kubectl create serviceaccount sa-dev

Bind a Clusterrole to a Serviceaccount

NOTE: default is the NS we’ve created the Serviceaccount in

$ kubectl create clusterrolebinding sa-dev-edit --clusterrole edit --serviceaccount=default:sa-dev

Extending the Context file using kubectl

We need to get the token first therefore we’ve to know hats the secret-name of it is.

$ kubectl describe sa sa-dev
Name: sa-dev
Namespace: default
[...]
Tokens: sa-dev-token-w285j
Events: <none>

Now as we know what the secret’s name is we can take a look into it

$ kubectl describe secret sa-dev-token-w285
Name: sa-dev-token-w285j
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: sa-dev
kubernetes.io/service-account.uid: uid-uid-uid-8b89-uid
Type: kubernetes.io/service-account-tokenData
====
ca.crt: 1017 bytes
namespace: 7 bytes
token: <a very long token>

Setting Kubernetes Cluster parameters

$ kubectl config set-cluster <MyClusterName> --server=https://<IPorDNS>:<access Port> --insecure-skip-tls-verify=<true/false>

Adding the token of the user to the context

$ kubectl config set-credentials sa-dev --token=<a very long token>

Creating the Serviceaccount as User in the context

$ kubectl config set-context sa-dev --cluster=<MyClusterName> --user=sa-dev

Switch the Context to your newly created user-context

This allows us to act like the user and use just his credentials

$ kubectl config use-context sa-dev

Now you can check if your permission set can accomplish whatever you wanted to do.

Sumup

  1. First of all we’ve created a Serviceaccount and a Clusterrolebinding.
  2. After that we added a Clusterrolebinding (edit) to the Serviceaccount.
  3. Then we got the access-token of the Serviceaccount and added it to our KUBECONFIG or context-file.
  4. At last we switched the user in our context files and connected to the Cluster using our new Service Account
$ kubectl create serviceaccount <SA-Username>$ kubectl create clusterrolebinding <ClusterroleName> \
--clusterrole edit --serviceaccount=default:<SA-Username>
$ kubectl describe secret <SA-Username>-token-p7gpc$ kubectl config set-cluster <MyClusterName> \
--server=https://<MyClusterIPorDNSname>:<access Port> \
--insecure-skip-tls-verify=<true/false>
$ kubectl config set-credentials <SA-Username> \
--token=<Token>
$ kubectl config set-context <SA-Username> \
--cluster=<MyClusterName> \
--user=<SA-Username>
$ kubectl config use-context <SA-Username>

Cheers!

--

--