How To Create IAM USER For Kubernetes Cluster

Gupta Aditya
5 min readApr 18, 2021

--

Hey, guys hope you all are doing good in today's article we are going to create a user with specific power for our Kubernetes multi-node cluster which we created in the previous article if not read yet you can go and read the link provided below.

First, go to your workstation and check if the OpenSSL command is working or not if not make sure to install OpenSSL and it is working properly. Once done configuring the OpenSSL command run the below commands in your workstation.

openssl genrsa -out "Name you want".key 1024= make a private key
Eg:- openssl genrsa -out aditya.key 1024= make a private key
openssl req -new -key "your key file" -out "Name you want".csr= make csr certificate form key{After this it will ask varius things like name,email,state etc do fill it as you want but dont leave it blank}
Eg:-openssl req -new -key aditya.key -out aditya.csr= make csr cert form key

Once the certificate is made now we have to send it to the Kubernetes master so that they can sign the certificate and provide it back to you so that we can use that signed certificate(after signing CSR certificate is convert into crt(Chinese remainder theorem) certificate) to connect to Kubernetes master.

For transferring CSR certificate from workstation to Kubernetes master use WinSCP tool.

Once the certificate is transferred to Kubernetes master run the following command.

Note:- make OpenSSL is working in Kubernetes master node.

cd /etc/kubernetes/pki/ => head towards this drectoryopenssl x509 -req -in "your csr cert" -CA ca.crt -CAkey ca.key -  CAcreateserial -out "Name you want".crt= to make crt cert run in kubernates masterEg:-openssl x509 -req -in aditya.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out aditya.crt= to make crt cert  in master pc

Once your crt certificate is made use WinSCP to copy the crt certificate and ca certificate to your respective workstation.

Now in your workstation, you should have the private key file,crt certificate, and car certificate so we can configure the kubeconfig file.

Now your workstation must have kubectl software which helps to connect to our Kubernetes master and make the command easier to run for RedHat use the below steps.

cat <<EOF > /etc/yum.repos.d/kubernetes.repo[kubernetes]name=Kubernetesbaseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64enabled=1gpgcheck=1repo_gpgcheck=1gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpgEOFyum install -y kubectl

For any other operating system, you can refer to below provided

For verification use the kubectl version command it will give some sort of version which means kubectl was successfully installed.

Now kubectl always use the kubeconfig file to connect to k8s master that kubeconfig file either we can make in its default location /root/.kube/config or we can create in our current directory and pass with the help of argument — — kubeconfig here we will be using — — kubeconfig argument to pass kubeconfig file you can create in its default location if you want.

Now head towards the directory which has all the certs and keys so that we can configure the kubeconfig file easily

kubectl config — kubeconfig {anyname}.kubeconfig set-cluster "cluster name you want to give"— server https://yourip:6443 — certificate-authority=ca.crt= to make kubeconfig file
here yourip= kubernates master node ip(if using aws use public ip of instance where kubernates master running)
Eg:-kubectl config --kubeconfig aditya.kubeconfig set-cluster kubernetes --server https://yourip:6443 --certificate-authority=ca.crt= to make kubeconfig file
kubectl config — kubeconfig "your kubeconfig file" set-credentials "name you want to give for credential"— client-certificate "your crt certificate" — client-key "your private key" = to make credential
Eg:- kubectl config --kubeconfig aditya.kubeconfig set-credentials aditya --client-certificate aditya.crt --client-key aditya.key = to make credential
kubectl config set-context credentialname@clustername --user=credentialname --cluster clustername--kubeconfig "your kubeconfig file" => for setting context
Eg:-kubectl config set-context aditya@kubernetes --user=aditya --cluster awskubecluster --kubeconfig aditya.kubeconfig for setting context
kubectl config get-contexts --kubeconfig "your kubeconfig file"=> to see all the context in kubeconfig file
Eg:- kubectl config get-contexts --kubeconfig aditya.kubeconfig
kubectl config use-context "your context name" --kubeconfig "your kubeconfig file"=> to set current context
Eg:-kubectl config use-context aditya@kubernetes --kubeconfig aditya.kubeconfig
kubectl config current-context --kubeconfig "your kubeconfig file"
Eg:- kubectl config current-context --kubeconfig aditya.kubeconfig

Once all the above step is done that means we have successfully setup kubeconfig file but when you try to kubectl get pods it will still show an error(Note here I am using aws cloud instance that's why error coming if you are configuring in the local system then this step is not required) because of some networking issue in certificate file in Kubernetes master in APIcert they only add private IP of aws while configuring Kubernetes master to add public IP run the below commands.

rm /etc/kubernetes/pki/apiserver.*
kubeadm init phase certs all — apiserver-advertise-address=0.0.0.0 — apiserver-cert-extra-sans=aws public ip
docker rm -f `docker ps -q -f ‘name=k8s_kube-apiserver*’`
systemctl restart kubelet

After running the above command again run kubectl get pods in workstation you might get user name does not have the power to get data this mean you have done all the steps correctly now we have to create role and bind a role to the user because till now we have created user which can come to Kubernetes master but what they can do what they can not that Kubernetes master has to decide which can be controlled by Role binding.

Role binding men's creating role and bind to a specific user so user can do the task with that power.

kubectl create ns "namespace name you want"=> to create namespace
Eg:- kubectl create ns tech =>
kubectl create role "name you want to give to role" --verb="action you want user to perform" --resource="resource youwan" --namespace "name of your namespace" => to create role
Eg:-kubectl create role aditya-tech --verb=get,list --resource=pods --namespace tech
kubectl create rolebinding "name you want to give to rolebinding"
--role=a"role name" -n "namespace name" --user="for which user you want" => to create role binding
Eg:-kubectl create rolebinding aditya-tech-rolebinding --role=aditya-tech -n tech --user=aditya
kubectl -n tech edit role "your role name"=> to edit role your role and give different permisions to users
Eg:-kubectl -n tech edit role aditya-tech

Now you can run the below command in your workstation to check.

kubectl get pods — — kubeconfig “your kubeconfig file name” -n “your namesace name”
Eg:-kubectl get pods — — kubeconfig aditya.kubeconfig -n tech

Guys, here we come to the end of this blog I hope you all like it and found it informative. If have any query feel free to reach me :)

Guys follow me for such amazing blogs and if have any review then please let me know I will keep those points in my mind next time while writing blogs. If want to read more such blog to know more about me here is my website link https://avg-g.technology.Guys Please do not hesitate to keep 👏👏👏👏👏 for it (An Open Secret: You can clap up to 50 times for a post, and the best part is, it wouldn’t cost you anything), also feel free to share it across. This really means a lot to me.

--

--

No responses yet