LAB02c: Create a New Kubernetes User Using Certificate Authentication

Goal

You will create:

A new Linux-user/identity name: john
A client certificate for john
A kubeconfig file for john
RBAC permissions (Role/ClusterRole/RoleBinding/ClusterRoleBinding)
Test access as john

This lab works on kubeadm clusters.

PREREQUISITES

Run the following commands on the control-plane node:

Important files needed:

/etc/kubernetes/pki/ca.crt
/etc/kubernetes/pki/ca.key

These are used to sign the new user's certificate.

STEP 1 — Create a private key for the new user

openssl genrsa -out john.key 2048

STEP 2 — Create a CSR (Certificate Signing Request)

openssl req -new -key john.key -out john.csr -subj "/CN=john/O=dev-team"

Meaning:

CN=john → Kubernetes username
O=dev-team → Group name (RBAC will use this)

You can also put: O=system:masters → full admin But we avoid that for safety.

STEP 3 — Sign the CSR with Kubernetes CA

sudo openssl x509 -req -in john.csr \
  -CA /etc/kubernetes/pki/ca.crt \
  -CAkey /etc/kubernetes/pki/ca.key \
  -CAcreateserial -out john.crt -days 365

Now you have:

john.key  → private key
john.crt  → signed certificate

STEP 4 — Create a new kubeconfig for the new user

We extract the cluster details from the admin kubeconfig.

1. Get the cluster name

kubectl config get-clusters

Example: kubernetes

2. Get the server endpoint

kubectl config view -o jsonpath='{.clusters[0].cluster.server}'

3. Get the CA certificate

sudo cp /etc/kubernetes/pki/ca.crt .

STEP 5 — Build a kubeconfig file manually

kubectl config set-cluster kubernetes \
  --server=https://<MASTER-IP>:6443 \
  --certificate-authority=ca.crt \
  --kubeconfig=john.kubeconfig

kubectl config set-credentials john \
  --client-certificate=john.crt \
  --client-key=john.key \
  --kubeconfig=john.kubeconfig

kubectl config set-context john-context \
  --cluster=kubernetes \
  --user=john \
  --kubeconfig=john.kubeconfig

kubectl config use-context john-context --kubeconfig=john.kubeconfig

You now have a working john.kubeconfig.

STEP 6 — Test the kubeconfig without RBAC

kubectl --kubeconfig=john.kubeconfig get pods

Expected output:

Error from server (Forbidden): pods is forbidden

This means authentication succeeded, but no authorization yet.

Perfect — now we'll add RBAC.

STEP 7 — Grant RBAC Permissions

Choose the level you want:

OPTION A — Namespace limited access (e.g., default namespace)

Create Role:

kubectl create role dev-reader --verb=get --verb=list --verb=watch --resource=pods --namespace=default

Bind it:

kubectl create rolebinding john-bind --role=dev-reader --user=john --namespace=default

OPTION B — Cluster-wide read-only

kubectl create clusterrolebinding john-read \
  --clusterrole=view \
  --user=john

OPTION C — Full admin access (NOT recommended)

kubectl create clusterrolebinding john-admin \
  --clusterrole=cluster-admin \
  --user=john

STEP 8 — Test Access as john

Now run:

kubectl --kubeconfig=john.kubeconfig get pods -A

Depending on RBAC, you will either:

get pods
get pods only in namespace
get full cluster admin access

STEP 9 — Validate Identity (VERY IMPORTANT)

kubectl --kubeconfig=john.kubeconfig auth whoami

Expected:

john
dev-team

Or if admin:

john
system:masters

STEP 10 — Inspect the certificate details

openssl x509 -in john.crt -noout -text

Look for:

Subject: CN=john, O=dev-team
Issuer: CN=kubernetes

FINAL OUTPUTS OF THIS LAB

You now have:

john.key
john.crt
ca.crt
john.kubeconfig

Plus RBAC bindings in cluster.

Summary

You learned how to:

✔ Generate user certificate ✔ Sign it with Kubernetes CA ✔ Build a full kubeconfig manually ✔ Apply RBAC roles ✔ Validate authentication ✔ Verify certificate identity

This is the industry-standard way to add developers, DevOps engineers, and automation clients to Kubernetes.

PreviousLAB02b: Deep Dive into Kubeconfig, Client Certificate & Server Certificate NextLAB02d: Setting up Kubeconfig

Last updated 1 month ago

Good night

hashtagGoal

hashtagPREREQUISITES

hashtagImportant files needed:

hashtagSTEP 1 — Create a private key for the new user

hashtagSTEP 2 — Create a CSR (Certificate Signing Request)

hashtagSTEP 3 — Sign the CSR with Kubernetes CA

hashtagSTEP 4 — Create a new kubeconfig for the new user

hashtag1. Get the cluster name

hashtag2. Get the server endpoint

hashtag3. Get the CA certificate

hashtagSTEP 5 — Build a kubeconfig file manually

hashtagSTEP 6 — Test the kubeconfig without RBAC

hashtagSTEP 7 — Grant RBAC Permissions

hashtagOPTION A — Namespace limited access (e.g., default namespace)

hashtagOPTION B — Cluster-wide read-only

hashtagOPTION C — Full admin access (NOT recommended)

hashtagSTEP 8 — Test Access as john

hashtagSTEP 9 — Validate Identity (VERY IMPORTANT)

hashtagSTEP 10 — Inspect the certificate details

hashtagFINAL OUTPUTS OF THIS LAB

hashtagSummary