Create a Certificate-based Kubeconfig

Create a Certificate-based Kubeconfig

Preface

The goal of this article is to allow someone to access our Kubernetes server, using a certificate that only that user have access.
The certificate will allow the administrator to manage the permission associated with the user, and revoke as needed.

First, the openssl tool is used to generate a Key and CSR. Then, a role is assigned to the newly created user. Then, a Kubeconfig is created specifically for that user. Finally, how to use that certificate and authenticate to the Kubernetes API server.

Private key

We will create a directory were all the certs will be store during this demonstration:

We then create the private key for Laurent with the -out flag to output result to laurent.key file and 4096 the size of the key being 4096-bit:

Certificate Signing Request (CSR)

We will now prepare the certificate signing request configuration file. This is done in a text editor (for this demo we will use vi):

Add the following content and adapt it to your need:

The certificate signing request configuration file contains all necessary information, user identity, and proper usage parameters for the user. The last argument extendedKeyUsage=serverAuth,clientAuth will allow users to authenticate their local clients with the Leaseweb k8s cluster using the certificate once it is signed.

Now the CSR creation for Laurent:

We can take a look at the CSR with this command:

Approval

We will now send this CSR to Kubernetes cluster and then approve it so that the user Laurent can access the cluster.

First, we need the base64 of the CSR file:

Then create the following Certificate Signing Request manifest:

With this content: laurent-csr.yml

Then we apply this manifest to k8s cluster:

We will now approve the new CSR and save it to our certs directory.

We approved the CSR:

Then we get the newly approved certificated:

This will decode the base64 and save the result to our laurent.crt file.

Kubeconfig

Next, you will create a specific Kubeconfig file for the laurent user. This will give you more control over the user’s access to your cluster.

First you can make a copy of the Kubeconfig you downloaded from the Customer Portal:

We then modify the file and point the user section to the cert and key we have created.

laurent.kubeconfig

Authentication

Finally, we test the newly created Kubeconfig by authenticating:

We get an access Forbidden as we have a user but no role or permission setup yet.