Hello learners, I am back with another blog. In this blog, we will learn about Kubernetes, and how to use create a user in Kubernetes. I have explained each and everything in deep and divided each part into small parts so that you can understand easily and if you want to read my other blogs then you can follow this link to read my blogs.
Introduction:-
Kubernetes, the leading container orchestration platform, offers robust user management capabilities through authentication and authorization mechanisms. Creating users in Kubernetes is crucial for establishing secure access control and ensuring that only authorized individuals can interact with the cluster. In this blog post, we will provide a step-by-step guide on creating users in Kubernetes, covering authentication methods, authorization, and the use of certificates for enhanced security.
Why we need this:-
Suppose that we have a cluster where we have deployed the various application and the same access is provided to the other team like developer or admin and others. Maybe by mistake, some delete the resource then the application will crash. So to overcome this issue, we will create the users and provide the required access as per their needs. So that no one can delete any resource. A particular person can have access to delete or create resources.
First of all, We will see the difference between authentication and authorization and how we can use them in Kubernetes.
Authentication:-
In the RBAC (Role-Based Access Control) in Kubernetes, authentication refers to the process of verifying the identity of a user who is attempting to access the Kubernetes cluster. It ensures that only authorized users can authenticate and gain access to the cluster’s resources.
Authorization:-
In the context of RBAC (Role-Based Access Control) in Kubernetes, authorization refers to the process of granting or denying access to specific resources and operations within the Kubernetes cluster based on a user’s role or assigned permissions. It will determine about actions, a user is allowed to perform and what resources they can access against the cluster. There are different modules through which we can achieve this authorization like :
- RBAC [ Role base access control ]
- ABAC [ Attribute base access control ]
- Node authorization
Also, RBAC is quite famous for authorization. Basically, RBAC can determine whether a certain user is allowed to perform a certain action on the given resource based on his role. It can vary based on the position the developer has a different role or admin has a different or the monitoring team has also a different role.
How RBAC works:-
In Kubernetes, We can not create users like pods, services, deployments, etc. Basically, Kubernetes does not manage the users and should be managed with an external identity platform like Keycloak, AWS IAM, etc. However, authentication and authorization are handled with Kubernetes and When we perform any operation against our cluster the request goes to the API server.
Basically, the API server first authenticates if you are a valid user or not. If you are a valid user then it authorizes if you are allowed to perform that action if you are authorized then you will get your result.
kubeconfig:-
Kubeconfig is a configuration file used by the Kubernetes command-line tool, kubectl, to authenticate and access Kubernetes clusters. It contains information about the cluster, authentication credentials, etc.
The kubeconfig file is typically located in the user’s home directory under the .kube folder. It can also be explicitly specified using the --kubeconfig flag when executing kubectl commands.
How to create a user in Kubernetes:-
User private key with OpenSSL:-
To create the private key for the user. You just need to run the below command that will create a file with the private key:-
# openssl genrsa -out backend-user.key 2048
# ls -laNow create the certificate signing request for the user with the above-created key:-
# openssl req -new -key backend-user.key -out backend-user.csr -subj "/CN=backend/O=learning/O=learning.org
# ls -laAs you can see in the command that i have attached the last created the file with last command and create a new signing request.
Now this signing request must be signed by the minikube authority.
# sudo openssl x509 -req -CA ~/.minikube/ca.crt -CAkey ~/.minikube/ca.key -CAcreateserial -days 500 -in backend-user.csr -out backend-user.crt
You can see the output in the below image:-
It’s time to add the user to the cluster with the kubectl config set-credential command:-
# kubectl config set-credentials muzakkir --client-certificate=backend-user.crt --client-key=backend-user.key
Now, you can see that your user has been added, and the same thing you can check in the below image:-
You can run this command to check whether your user has been added or not:-
# cat ~/.kube/config
You need to add the context for the user with the below command:-
# kubectl config set-context backend-user-muzakkir --cluster=minikube --user=muzakkir --namespace=default
In this command, I have passed the user and the default namespace. You can add your namespace or as per the requirement and I have given a name to my context backend-user-muzakkir. The same thing, you can check in the config file or you can run the below command and check whether the user is added or not:-
kubectl config get-contexts
You can also switch between the context with this command:-
kubectl config use-context <backend-user-muzakkir>
Now we have created the user in the Kubernetes. As we see how we can create and how we can check and switch between them.
Conclusion:-
In this blog, we have seen how we can create a user in the Kubernetes and how we can generate the certification, and how can sign that certificate and create a new user. The basic idea of using is that we want that everyone has separate users. If you like my blog then you can like this or want to read more blogs then follow this link. You can also check out this official doc about the Kubernetes.
