How to create user and grant permissions to the user in Kubernetes?

Problem to solve

When preparing for the Certified kubernetes Administrator exam, I get a question in a mock exam:

Create a new user called mike in kubernetes 1.18. Grant him access to the cluster. Mike should have permission to create, list, get, update and delete pods in the dev namespace . The private key exists in the current working directory: mike.key and csr at mike.csr.

Your working directory is as follows:

-rw-r--r--  1 simonzhao  staff     0B Jun 23 13:54 mike.csr
-rw-r--r--  1 simonzhao  staff     0B Jun 23 13:54 mike.key

Environment

• kubernetes 1.18
• kubectl installed
• Linux or macOS terminal

1. Create private key and CSR files for Mike(Optional)

If you are wondering how to create private key and csr files for Mike, The following scripts show how to generate PKI private key and CSR. It is important to set CN and O attribute of the CSR. CN is the name of the user and O is the group that this user will belong to. You can refer to RBAC for standard groups.

openssl genrsa -out  mike.key 2048
openssl req -new -key mike.key -out mike.csr -subj "/CN=mike/O=dev"

In the above script, I create a CSR with /CN=mike/O=dev, which means the name is mike and the group is dev .

This step is optional because I am provided with those files when I start.

2. Create the CertificateSigningRequest

To create a user in the Kubernetes with the certification mode, you should send a CertificateSigningRequest to Kubernetes API Server at first. Just as the following yaml shows, you create a CertificateSigningRequest by providing the request body of your mike.csr and the usages.

csr.yaml

apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: mike
spec:
  request: $(cat mike.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - server auth

Make sure that this yaml file is located in the same directory with mike.csr, because it references the file in the request part.

Apply the above yaml as follows:

kubectl apply -f csr.yaml

Check that you have submited the csr successfully:

kubectl get csr
​
NAME   AGE   REQUESTOR    CONDITION
mike   3s    user-6jgtw   Pending

3. Approve the CertificateSigningRequest

Now you have submited the csr request, you should approve it in kubernetes as follows:

kubectl certificate approve mike

You can get more help by this command:

➜  ~ kubectl certificate approve --help
Approve a certificate signing request.
​
 kubectl certificate approve allows a cluster admin to approve a certificate signing request (CSR).
This action tells a certificate signing controller to issue a certificate to the requestor with the
attributes requested in the CSR.

4. Create the Role with the permissions

You should grant permissions to users by role , e.g. RBAC(role based access control)，That is:

• A user(subject) get permissions by role and rolebinding
• permissions are grouped into Role
• A RoleBinding can reference a set of users(subjects) and a Role

Now create the yaml:

dev-role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev
  name: dev-role
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["create","list", "get", "update","delete"]

Apply the above yaml as follows:

kubectl apply -f dev-role.yaml

Check that you have submited the role successfully:

kubectl get roles -n dev
​
NAME       AGE
dev-role   10s

5. Bind the user and role

You bind the user and his role by creating a RoleBinding object in kubernetes.

mike-roleBinding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: mike-rolebinding
  namespace: dev
subjects:
- kind: User
  name: mike
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: dev-role
  apiGroup: rbac.authorization.k8s.io

Apply the above yaml as follows:

kubectl apply -f mike-roleBinding.yaml

Check that you have submited the rolebinding successfully:

kubectl get rolebindings -n dev
​
NAME               AGE
mike-rolebinding   6s

Check the details of the role binding:

kubectl  describe rolebinding mike-rolebinding -n dev
​
Name:         mike-rolebinding
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"mike-rolebinding","namespace":"dev"...
Role:
  Kind:  Role
  Name:  dev-role
Subjects:
  Kind  Name  Namespace
  ----  ----  ---------
  User  mike

Now ,User mike is bind to Role(dev-role) and he can create/list/get/update/delete pods in the dev namespace:

6. Verify the access permissions

kubectl provides the auth can-i subcommand for quickly querying the API authorization layer. The command can be used to determine if the current user can perform a given action, and works regardless of the authorization mode used.

Check if Mike can list pods in dev namespace:

k auth can-i list pods --as mike -n dev
yes

Check if Mike can create pods in dev namespace:

k auth can-i create pods --as mike -n dev
yes

It should return a yes.