Kubernetes RBAC new user

In most cases, you should limit permissions only to required. Now it’s time to create a new user for Kubernetes kubectl.

I’ll describe the classic way to create the certificate with OpenSSL. There is a way to use Kubernetes built-in certificate management. I’ll write about it someday.

openssl genrsa -out release-master_prod_key.pem 4096
openssl req -new -key release-master_prod_key.pem -out release-master_prod_csr.pem -subj '/CN=release-master@prod'
openssl x509 -req -in release-master_prod_csr.pem -CA /etc/kubernetes/ssl/ca.crt -CAkey /etc/kubernetes/ssl/ca.key -CAcreateserial -out release-master_prod_crt.pem -days 365

We’ve got our certificates now. Time to create a config for kubectl.

kubectl config set-cluster prod --server=https://kube.enterprise.net:6443 --certificate-authority=ca.crt --embed-certs=true --kubeconfig=release-master_prod.cfg
kubectl config set-credentials release-master_prod --client-certificate=release-master_prod_crt.pem --embed-certs=true --client-key=release-master_prod_key.pem --embed-certs=true --kubeconfig=release-master_prod.cfg
kubectl config set-context release-master_prod --cluster=prod --namespace=prod --user=release-master_prod --kubeconfig=release-master_prod.cfg
kubectl config --kubeconfig=release-master_prod.cfg use-context release-master_prod

Our release-master.yaml to assign permissions:

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: release-master
  namespace: prod
rules:
  - apiGroups:
      - apps
    resources:
      - deployments
    verbs:
      - describe
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - extensions
    resources:
      - deployments
    verbs:
      - describe
      - get
      - list
      - patch
      - update
      - watch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: release-master
  namespace: prod
subjects:
  - kind: User
    name: release-master@prod
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: release-master
  apiGroup: rbac.authorization.k8s.io

Now we just need to apply it:

kubectl apply -f release-master.yaml