LAB05a: Create a Kubernetes User

complete, production-grade LAB for Option 1: Creating a Kubernetes User Using CSR API — without accessing the cluster CA private key.

This method is used in real enterprises because it is safer and managed fully through Kubernetes.

LAB: Create a Kubernetes User via CertificateSigningRequest (CSR API)

No CA key access required. Kube-API signs the certificate.

Lab Goal

You will:

Create a new user: john
Generate CSR + private key locally
Create a Kubernetes CSR manifest
Approve the CSR in the cluster
Extract the client certificate
Build a kubeconfig for john
Configure RBAC
Test the user

Prerequisites

Run commands on your local machine or control-plane, must have:

kubectl access (admin)
OpenSSL installed

STEP 1 — Generate Key + CSR Locally

openssl genrsa -out john.key 2048

openssl req -new -key john.key -out john.csr \
  -subj "/CN=john/O=dev-team"

Explanation:

CN=john → username inside Kubernetes
O=dev-team → group name inside Kubernetes (you can set any group, RBAC will use this)

STEP 2 — Base64 Encode the CSR

cat john.csr | base64 | tr -d "\n" > john.csr.b64

STEP 3 — Create the Kubernetes CSR Manifest

Create john-csr.yaml:

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: john
spec:
  request: |
    <BASE64_CSR_HERE>
  signerName: kubernetes.io/kube-apiserver-client
  usages:
    - digital signature
    - key encipherment
    - client auth

Replace <BASE64_CSR_HERE>:

cat john.csr.b64

STEP 4 — Apply the CSR to Kubernetes

kubectl apply -f john-csr.yaml

Check CSR status:

kubectl get csr john

STEP 5 — Approve the CSR

As cluster admin:

kubectl certificate approve john

Verify:

kubectl get csr john -o yaml

You should now see:

status:
  certificate: BASE64CERT==

STEP 6 — Extract the Signed Certificate

kubectl get csr john -o jsonpath='{.status.certificate}' | base64 -d > john.crt

Now you have:

john.key (private key)
john.crt (signed certificate)

STEP 7 — Build a Custom Kubeconfig for John

1. Get cluster name:

kubectl config view -o jsonpath='{.clusters[0].name}'

2. Extract API server endpoint:

kubectl config view -o jsonpath='{.clusters[0].cluster.server}'

3. Extract CA certificate:

kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' \
| base64 -d > ca.crt

Build kubeconfig:

Set cluster:

kubectl config set-cluster kubernetes \
  --server=https://<API-SERVER-IP>:6443 \
  --certificate-authority=ca.crt \
  --embed-certs=true \
  --kubeconfig=john.kubeconfig

Set user:

kubectl config set-credentials john \
  --client-certificate=john.crt \
  --client-key=john.key \
  --embed-certs=true \
  --kubeconfig=john.kubeconfig

Set context:

kubectl config set-context john-context \
  --cluster=kubernetes \
  --user=john \
  --kubeconfig=john.kubeconfig

Switch context:

kubectl --kubeconfig=john.kubeconfig use-context john-context

STEP 8 — Test User Authentication (No RBAC Yet)

kubectl --kubeconfig=john.kubeconfig get pods

Expected:

Error from server (Forbidden)

This confirms: ✔ Authentication working ✘ No authorization yet

STEP 9 — Add RBAC Permissions

OPTION A — Namespace-limited read access:

kubectl create role dev-reader \
  --verb=get --verb=list --verb=watch \
  --resource=pods --namespace=default

kubectl create rolebinding john-read \
  --role=dev-reader \
  --user=john \
  --namespace=default

OPTION B — Cluster-wide read access:

kubectl create clusterrolebinding john-view \
  --clusterrole=view \
  --user=john

OPTION C — Full admin:

kubectl create clusterrolebinding john-admin \
  --clusterrole=cluster-admin \
  --user=john

STEP 10 — Test RBAC

Check who you are:

kubectl --kubeconfig=john.kubeconfig auth whoami

Output:

john
dev-team

Check allowed actions:

kubectl --kubeconfig=john.kubeconfig auth can-i create pods

Try listing pods:

kubectl --kubeconfig=john.kubeconfig get pods -A

LAB COMPLETED — You Successfully Created a Kubernetes User via CSR API

You now have:

john.key
john.csr
john.crt
ca.crt
john.kubeconfig

This is the enterprise-standard & secure way to:

Create developer/operator credentials
Issue short-lived certificates
Avoid exposing Kubernetes CA private key
Automate cert management

PreviousLAB05: Authorization in Kubernetes NextBLOG05: Creating User Access

Last updated 1 month ago

Good night

hashtagLAB: Create a Kubernetes User via CertificateSigningRequest (CSR API)

hashtagLab Goal

hashtagPrerequisites

hashtagSTEP 1 — Generate Key + CSR Locally

hashtagSTEP 2 — Base64 Encode the CSR

hashtagSTEP 3 — Create the Kubernetes CSR Manifest

hashtagSTEP 4 — Apply the CSR to Kubernetes

hashtagSTEP 5 — Approve the CSR

hashtagSTEP 6 — Extract the Signed Certificate

hashtagSTEP 7 — Build a Custom Kubeconfig for John

hashtag1. Get cluster name:

hashtag2. Extract API server endpoint:

hashtag3. Extract CA certificate:

hashtagBuild kubeconfig:

hashtagSet cluster:

hashtagSet user:

hashtagSet context:

hashtagSTEP 8 — Test User Authentication (No RBAC Yet)

hashtagSTEP 9 — Add RBAC Permissions

hashtagOPTION A — Namespace-limited read access:

hashtagOPTION B — Cluster-wide read access:

hashtagOPTION C — Full admin:

hashtagSTEP 10 — Test RBAC

hashtagCheck who you are:

hashtagCheck allowed actions:

hashtagTry listing pods:

hashtagLAB COMPLETED — You Successfully Created a Kubernetes User via CSR API