How add users in Microk8s ?

Rohin Pandey — Wed, 19 Jun 2024 07:24:22 +0000

MicroK8s is a minimal, low-operations Kubernetes designed for production environments. As an open-source platform, it automates the deployment, scaling, and management of containerized applications. It includes core Kubernetes components with a small footprint and can scale from a single node to a high-availability production cluster. Essentially, MicroK8s offers production-grade support for all key Kubernetes features, including advanced networking and storage configurations.

In this post, we will create a user for microk8s cluster apart from it's default admin user, create a kubeconfig file for the user and use it in kubectl to access the cluster. This is important for a devops engineer to create separate user with appropriate RBAC to insure that a user can access only the required resources in the cluster.

Make sure you have microk8s running in your system, if not you can install it by running the following command.

sudo snap install microk8s --classic

Now we will create user credentials, microk8s uses kubeconfig files to manage user credentials.

We will use "openssl" to generate certificate and key for the new user. Replace "username" with the desired username.

openssl genrsa -out username.key 2048

openssl req -new -key username.key -out username.csr -subj "/CN=username/O=group"

openssl x509 -req -in username.csr -CA /var/snap/microk8s/current/certs/ca.crt -CAkey /var/snap/microk8s/current/certs/ca.key -CAcreateserial -out username.crt -days 365

After this, we are now going to create the kubeconfig file for the new user.
Replace the username, cluster-name and cluster-server with appropriate values.

apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority: /var/snap/microk8s/current/certs/ca.crt
    server: https://<cluster-server>:16443
  name: <cluster-name>
contexts:
- context:
    cluster: <cluster-name>
    user: username
  name: username-context
current-context: username-context
users:
- name: username
  user:
    client-certificate: /path/to/username.crt
    client-key: /path/to/username.key

Create a role and role binding for the new user in Kubernetes. For example, you can create a role that grants read-only access to all resources in a namespace.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: read-only
rules:
- apiGroups: [""]
  resources: ["pods", "services", "deployments"]
  verbs: ["get", "list", "watch"]

Then, create a role binding to bind the role to the new user

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-only-binding
  namespace: default
subjects:
- kind: User
  name: username
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: read-only
  apiGroup: rbac.authorization.k8s.io

You can also create a cluster role and cluster role binding to provide the user cluster wide access.

Apply the above RBAC configuration using kubectl

microk8s kubectl apply -f role.yaml
microk8s kubectl apply -f rolebinding.yaml

Provide the generated kubeconfig file to the new user. The user can then use this file to access the Kubernetes cluster with the permissions defined by the RBAC configuration.

DEV Community: Rohin Pandey

How add users in Microk8s ?