Adding users to kubernetes

0 votes

I've created a Kubernetes cluster on AWS with kops and can successfully control it via kubectl from my local machine. I need to enable other users to also administer.

kubectl config view gives the following:

apiVersion: v1
- cluster:
    certificate-authority-data: REDACTED
    server: https://api.{CLUSTER_NAME}
  name: {CLUSTER_NAME}
- context:
    cluster: {CLUSTER_NAME}
    user: {CLUSTER_NAME}
  name: {CLUSTER_NAME}
current-context: {CLUSTER_NAME}
kind: Config
preferences: {}
- name: {CLUSTER_NAME}
    client-certificate-data: REDACTED
    client-key-data: REDACTED
    password: REDACTED
    username: admin
- name: {CLUSTER_NAME}-basic-auth
    password: REDACTED
    username: admin
Sep 5, 2018 in Kubernetes by Hannah
• 18,570 points

1 answer to this question.

0 votes

Follow these steps:

  1. create service account for user Alice

    kubectl create sa alice
  2. Get related secret

    secret=$(kubectl get sa alice -o json | jq -r .secrets[].name)
  3. Get ca.crt from secret (using OSX base64 with -D flag for decode)

    kubectl get secret $secret -o json | jq -r '.data["ca.crt"]' | base64 -D > ca.crt
  4. Get service account token from secret

    user_token=$(kubectl get secret $secret -o json | jq -r '.data["token"]' | base64 -D)
  5. Get information from your kubectl config (current-context, server..)

    # get current context
    c=`kubectl config current-context`
    # get cluster name of context
    name=`kubectl config get-contexts $c | awk '{print $3}' | tail -n 1`
    # get endpoint of current context 
    endpoint=`kubectl config view -o jsonpath="{.clusters[?( == \"$name\")].cluster.server}"`
  6. On a fresh machine, follow these steps (given the ca.cert and $endpoint information retrieved above:

    1. Install kubectl

      brew install kubectl
    2. Set cluster (run in directory where ca.crt is stored)

      kubectl config set-cluster cluster-staging \
        --embed-certs=true \
        --server=$endpoint \
    3. Set user credentials

      kubectl config set-credentials alice-staging --token=$user_token
    4. Define the combination of alice user with the staging cluster

      kubectl config set-context alice-staging \
        --cluster=cluster-staging \
        --user=alice-staging \
    5. Switch current-context to alice-staging for the user

      kubectl config use-context alice-staging

Create a policy file to control user access with policies 

  "apiVersion": "",
  "kind": "Policy",
  "spec": {
    "user": "system:serviceaccount:default:alice",
    "namespace": "default",
    "resource": "*",
    "readonly": true

Provision this policy.json on every master node and add --authorization-mode=ABAC --authorization-policy-file=/path/to/policy.json flags to API servers

answered Sep 5, 2018 by Kalgi
• 52,370 points

Related Questions In Kubernetes

+5 votes
2 answers

Redirecting host to service path in kubernetes

What you are trying to do is ...READ MORE

answered Mar 27, 2018 in Kubernetes by DragonLord999
• 8,450 points
0 votes
1 answer

unable to start Kubernetes due to so many open files in system

You can try the following steps: You can ...READ MORE

answered May 1, 2018 in Kubernetes by shubham
• 7,320 points
0 votes
1 answer

How to use gravitational teleport in a container/kubernetes environment?

You can use teleport to augment kubernetes ...READ MORE

answered Jun 28, 2018 in Kubernetes by ajs3033
• 7,280 points
0 votes
1 answer

Unable to run Kubernetes on rancher cluster

switch Docker to 1.12.x; Kubernetes doesn't support ...READ MORE

answered Aug 28, 2018 in Kubernetes by Kalgi
• 52,370 points
+1 vote
1 answer
0 votes
3 answers

Error while joining cluster with node

Hi Kalgi after following above steps it ...READ MORE

answered Jan 17, 2019 in Others by anonymous
+4 votes
1 answer

Installing Web UI (Dashboard):kubernetes-dashboard on main Ubuntu 16.04.6 LTS (Xenial Xerus) server

Follow these steps: $ kubeadm reset $ kubeadm init ...READ MORE

answered Apr 12, 2019 in Kubernetes by Kalgi
• 52,370 points

reshown Apr 12, 2019 by Kalgi 3,547 views
0 votes
2 answers

Adding nameservers to kubernetes

For those usign Kubernetes kube-dns, flag -nameservers nor environment variable SKYDNS_NAMESERVERS are ...READ MORE

answered Sep 3, 2018 in Kubernetes by Kalgi
• 52,370 points
+1 vote
1 answer

Unable to access kubernetes dashboard

You’re trying to access a private IP. ...READ MORE

answered Aug 27, 2018 in Kubernetes by Kalgi
• 52,370 points