Asymmetric-key Cryptographic Algorithm for User Authentication In K8s
Confused by the title…!! Short form → User Management In K8s
kubeconfig uses Asymmetric-key Cryptographic Algorithms for User Authentication
.Kube/config usually consists of;
- Private key: Which acts as a Password
- Certificate: which has CA authenticated CSR file
This Article helps in creating a new user from scratch
Note
- We need to be in the cert folder of the k8s cluster at the control plane node and execute this whole task to save time in copying files(key, csr, and crt).
- For minikube cluster, certs will be in /var/lib/minikube/certs folder.
- For kubeadm k8s cluster, certs will be in /etc/kubernetes/pki/ folder.
Steps:
Step 1: Generate a private key
Step 2: Generate a certificate
Generation private key:
openssl genrsa -out thinker.key 1024i.e., openssl genrsa -out <name of the private key for a user> 1024
Generation a certificate
A Certificate Signing Request or CSR is a specially formatted encrypted message sent from a Secure Sockets Layer (SSL) digital certificate applicant to a certificate authority (CA), When signed by CA, this CSR becomes CRT or certificate.
This Generation of the certificate involves 2 sub-steps which include;
- Generation of CSR
- Digital Sign of CSR by CA to create CRT
Generation of CSR
- Generation of CSR requires a private key, which we create in step 1
openssl req -new -key thinker.key -out thinker.csri.e., openssl req -new -key <name of the private key for a user> -out <name of the certificate for a user in csr formatted file>
Digital Sign of CSR by CA to create CRT
Signing new user cert and keys need, actual cluster ca.key and ca.crt file to digitally sign new user keys. Done as below
sudo openssl x509 -req -in thinker.csr -out thinker.crt -CAkey ca.key -CA ca.crt -CAcreateseriali.e., thinker is the name of the new user
Voilaaaaa…!!!
Transferring cert files to the Remote server
With the above steps, we should have all three files ready and have the below permissions.
But while copying these files to another machine, thinker.key file fails to move, as it doesn’t have the required permissions to move. so let's update its permissions by
sudo chmod o+r thinker.key
With updated permissions to key files, now I can able to copy those files to my local
Add User, create context and attach to a K8s Cluster
Add New User
The Kube context for a new user can be done in 2 ways; (1) creating a new kubeconfig file for a new user with new creds, or (2) Updating new users with cred in the current kubeconfig file. Lets later in this,
Currently, I have only 1 user with 1 context we can check below
Let's add this user as shown below
We can a new user been added in kubeconfig file
Update context for new user
We can check the currently available cluster/context locally as below
Let's update this user to context and attach it to a cluster as below
Now we should able to see our cluster(in my case 1 cluster) have 1 new context by a new user.
Verification
Let's switch to a new user context and try getting cluster-info
Voila…..!!!
We are not able to access anything from this cluster with forbidden error
We have reached the expected output which will lead us to RBAC
