MicroK8s is a minimal, low-operations Kubernetes designed for production environments. As an open-source platform, it automates the deployment, scaling, and management of containerized applications. It includes core Kubernetes components with a small footprint and can scale from a single node to a high-availability production cluster. Essentially, MicroK8s offers production-grade support for all key Kubernetes features, including advanced networking and storage configurations.
In this post, we will create a user for microk8s cluster apart from it's default admin user, create a kubeconfig file for the user and use it in kubectl to access the cluster. This is important for a devops engineer to create separate user with appropriate RBAC to insure that a user can access only the required resources in the cluster.
Make sure you have microk8s running in your system, if not you can install it by running the following command.
sudo snap install microk8s --classic
Now we will create user credentials, microk8s uses kubeconfig files to manage user credentials.
We will use "openssl" to generate certificate and key for the new user. Replace "username" with the desired username.
openssl genrsa -out username.key 2048
openssl req -new -key username.key -out username.csr -subj "/CN=username/O=group"
openssl x509 -req -in username.csr -CA /var/snap/microk8s/current/certs/ca.crt -CAkey /var/snap/microk8s/current/certs/ca.key -CAcreateserial -out username.crt -days 365
After this, we are now going to create the kubeconfig file for the new user.
Replace the username, cluster-name and cluster-server with appropriate values.
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority: /var/snap/microk8s/current/certs/ca.crt
server: https://<cluster-server>:16443
name: <cluster-name>
contexts:
- context:
cluster: <cluster-name>
user: username
name: username-context
current-context: username-context
users:
- name: username
user:
client-certificate: /path/to/username.crt
client-key: /path/to/username.key
Create a role and role binding for the new user in Kubernetes. For example, you can create a role that grants read-only access to all resources in a namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: read-only
rules:
- apiGroups: [""]
resources: ["pods", "services", "deployments"]
verbs: ["get", "list", "watch"]
Then, create a role binding to bind the role to the new user
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-only-binding
namespace: default
subjects:
- kind: User
name: username
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: read-only
apiGroup: rbac.authorization.k8s.io
You can also create a cluster role and cluster role binding to provide the user cluster wide access.
Apply the above RBAC configuration using kubectl
microk8s kubectl apply -f role.yaml
microk8s kubectl apply -f rolebinding.yaml
Provide the generated kubeconfig file to the new user. The user can then use this file to access the Kubernetes cluster with the permissions defined by the RBAC configuration.
Top comments (0)