MicroK8s is a minimal, low-operations Kubernetes designed for production environments. As an open-source platform, it automates the deployment, scaling, and management of containerized applications. It includes core Kubernetes components with a small footprint and can scale from a single node to a high-availability production cluster. Essentially, MicroK8s offers production-grade support for all key Kubernetes features, including advanced networking and storage configurations.
In this post, we will create a user for microk8s cluster apart from it's default admin user, create a kubeconfig file for the user and use it in kubectl to access the cluster. This is important for a devops engineer to create separate user with appropriate RBAC to insure that a user can access only the required resources in the cluster.
Make sure you have microk8s running in your system, if not you can install it by running the following command.
sudo snap install microk8s --classic
Now we will create user credentials, microk8s uses kubeconfig files to manage user credentials.
We will use "openssl" to generate certificate and key for the new user. Replace "username" with the desired username.
openssl genrsa -out username.key 2048 openssl req -new -key username.key -out username.csr -subj "/CN=username/O=group" openssl x509 -req -in username.csr -CA /var/snap/microk8s/current/certs/ca.crt -CAkey /var/snap/microk8s/current/certs/ca.key -CAcreateserial -out username.crt -days 365 After this, we are now going to create the kubeconfig file for the new user.
Replace the username, cluster-name and cluster-server with appropriate values.
apiVersion: v1 kind: Config clusters: - cluster: certificate-authority: /var/snap/microk8s/current/certs/ca.crt server: https://<cluster-server>:16443 name: <cluster-name> contexts: - context: cluster: <cluster-name> user: username name: username-context current-context: username-context users: - name: username user: client-certificate: /path/to/username.crt client-key: /path/to/username.key Create a role and role binding for the new user in Kubernetes. For example, you can create a role that grants read-only access to all resources in a namespace.
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: read-only rules: - apiGroups: [""] resources: ["pods", "services", "deployments"] verbs: ["get", "list", "watch"] Then, create a role binding to bind the role to the new user
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: read-only-binding namespace: default subjects: - kind: User name: username apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: read-only apiGroup: rbac.authorization.k8s.io You can also create a cluster role and cluster role binding to provide the user cluster wide access.
Apply the above RBAC configuration using kubectl
microk8s kubectl apply -f role.yaml microk8s kubectl apply -f rolebinding.yaml Provide the generated kubeconfig file to the new user. The user can then use this file to access the Kubernetes cluster with the permissions defined by the RBAC configuration.
Top comments (0)