Adding users to your Kubernetes cluster | Creating client certificate and key to provide users

Рет қаралды 7,366

Күн бұрын

In this video we looked into the details of how we can generate certificate and key file to authenticate a user against a Kubernetes cluster.
We looked into two ways to do that, generating they private key and CSR then manually signing that CSR using API Server's CA key and certificate file. And the other one where we created CertificateSigningRequest resource and approved it to generate certificate.
Web:
viveksingh.dev/
Twitter:
00:00 Introduction
00:25 Agenda
01:57 K8S doesn't have APIs to support users
03:32 Check if client certificate is supported
04:34 Creating client key and certificate
11:13 Two ways to generate client certificate
16:30 Adding created key and certificate file into kubeconfig
21:06 Authorise newly created user
26:45 Create CertificateSigningRequest to generate client certificate
35:16 Common name and group for user
35:38 Contents of authenticated request
36:41 Thank you, Like and Subscribe

Пікірлер: 60

@harishchava1443 2 жыл бұрын

Why did you exec into kube-apiserver-kind-control-plane container only for generating the user certificate? Is it the kind of admin container which generates certs? I am using aks cluster, Which pod I need to use for generating certs?

@viveksinghggits 2 жыл бұрын

Hi Harish, That's a good question, so we have to basically generate two things private key and CSR. These two things can be generated using openssl command independently. Once we have those files, look at 11:13. You can create CertificateSigningRequest k8s object, using the files that we generated and then admin can approve thst request and we would get .crt. Let me know if you have any other questions.

@srinivasrayarao2529 10 ай бұрын

As usual, brilliant

@viveksinghggits 10 ай бұрын

Thank you.

@user-mb7qe6ro9m 3 жыл бұрын

Awesome man, m currently learning K8, what u described above i asked many people who are already working into this since years but no one never replied back and the way u explained it 👏👏👏👏👏

@viveksinghggits 3 жыл бұрын

Hey 👋, Thank you so much 💓 for the kind words🙏. I appreciate it. I am glad the video was helpful.

@sachinkumar-os3ce 3 жыл бұрын

Awesome explanation. Thanks Vivek

@viveksinghggits 3 жыл бұрын

Thank you Sachin 😊

@Yesdin007 2 жыл бұрын

thank you for explaining CSR concept

@viveksinghggits 2 жыл бұрын

I am glad you liked it.

@ramyasriram5290 2 жыл бұрын

Informative video.Thank you

@viveksinghggits 2 жыл бұрын

Thank you 😊 Ramya.

@harinireddy8423 2 жыл бұрын

Very good explanation thank you so much

@viveksinghggits 2 жыл бұрын

Thank you, Harini.

@KrishnaKumar-ks3mj 2 жыл бұрын

Hey Dear, First video I found worth watching and got lot of information which I was looking for since a year. Great to view your videos having lot of contents and clear most of my doubts / :)

@viveksinghggits 2 жыл бұрын

Thanks for the kind words.

@manishsingh-yl4hn 2 жыл бұрын

Good content bro.. And you explained perfectly

@viveksinghggits 2 жыл бұрын

Thank you 😊

@faruk12ify 3 жыл бұрын

Nice explanation sir ..... Awesome video

@viveksinghggits 3 жыл бұрын

Thank you 😊

@LearnProgramsCJ 3 жыл бұрын

Nice Video. useful information for beginers

@viveksinghggits 3 жыл бұрын

Thank you Justin. 😊

@sameersardar6699 3 жыл бұрын

well explained bro ... I was unable to get it ... Thanks a lot

@viveksinghggits 3 жыл бұрын

Thanks 😊 Sameer. I am happy it was helpful.

@ghostarun1 3 жыл бұрын

Good 👍 well done keep going.. Help...ppl to learn

@viveksinghggits 3 жыл бұрын

Thank you Arun 😊

@dipi411 Жыл бұрын

Nice explanation

@viveksinghggits Жыл бұрын

Thank you 😊

@manasjain914 3 жыл бұрын

Helpful 👍

@viveksinghggits 3 жыл бұрын

Thank you Manas 😊

@vijaygharge2414 3 жыл бұрын

Hi vivek, good content and coverage. Only request if you can make these videos small screen friendly (by increasing font size/zoom in). It would make phone based viewing experience seamless. Keep up the good work ! Kudos

@viveksinghggits 3 жыл бұрын

Thanks Vijay, I have been trying to make smaller videos, let's see. I would also increase the font size in the next videos.

@madhaiyanm4036 2 жыл бұрын

Really very great video with in depth knowledge..well done.. keep going.. one question, you created role to allow pods only for vivek user. in case we want to provide all permission as like another user, do we need to create cluster role & cluster role binding?

@viveksinghggits 2 жыл бұрын

What do you mean by provide all permission as like another user.

@madhaiyanm4036 2 жыл бұрын

@@viveksinghggits i mean to create,list, delete all namespaces, all pods, all deployments and other k8s objects?

@viveksinghggits 2 жыл бұрын

In that case we can add the user into admin group.

@NitinSharma-if1tf 2 жыл бұрын

Hello sir I have created cluster with one master and one worker node ,master node added with public azure load balancer. But when we run curl load balancer ip:6443 from master node to access kube-api server . I get error like curl( 60 )SSL certificate problem: unable to get local issuer certificate. Also when we try from browser it not access. please tell me something about this.

@viveksinghggits 2 жыл бұрын

Hi Nitin, If I understood correctly you are trying to access the api server endpoint using curl and browser, why are you doing that? Thats not how we access k8s clusters, right? Since api server is secured you won't be able to access the api server endpoint. You will have to generate the kubeconfig file to a access the k8s cluster. Now, generating kubeconfig file depends on how you have setup the cluster.

@karthikkumar12 Жыл бұрын

Hi Vivek thanks for the detailed explanation. Can you clarify what is the ca-certificate that is in the kubeconfig yaml file? Is that the same ca-certificate as the one in control-plane (/etc/kubernetes/pki/ca.crt that you used to create user certificate) or different. Can we use the ca-certificate in the kubeconfig yaml file to generate certificates?

@karthikkumar12 Жыл бұрын

I think the answer for "Can we use the ca-certificate in the kubeconfig yaml file to generate certificates?" is not because we need ca.key AND ca.crt to generate certificates

@viveksinghggits Жыл бұрын

Hi Karthik, Sorry, I don't have the answer to that question on top of my head.

@vinodreddy1722 3 жыл бұрын

Hi vijay ,we added user vivek but how kubernetes know that user vivek is executing ,becauser we didnt login as user vivek,and video on securityContext please

@viveksinghggits 3 жыл бұрын

When we create a CSR (certificate signing request), we specify the username as common name (CN) for subj flag. And certificate for used is created using the same CSR. Which (cert) eventually is used in kubeconfig. And that is how kubernetes figures out which user is trying to talk to the cluster. Let me know if this didn't make sense.

@vinodreddy1722 3 жыл бұрын

@@viveksinghggitsthanks for your reply,we are creating user vivek and doing everything, do we need to log In as user vivek to server where cluster is running to get these access?

@viveksinghggits 3 жыл бұрын

Not really, if you see we didn't create a Linux user anywhere. So, you just have to set credentials in kubeconfig and kuebctl should take care of the rest.

@deepakkarthikeyan2508 2 жыл бұрын

IS the procedure same for readonly user

@viveksinghggits 2 жыл бұрын

I think yes, the procedure would be same. We would just have to create the role/cluster role accordingly.

@Zeid_Al-Seryani 2 жыл бұрын

Thank you for your efforts, it was very helpful, Kindly I have a question , after giving the devuser authentication to the cluster, what if i want to remove the authentication and the devuser will not be allwed to communicate with the cluster, how can i do that ? Thanks in advance.

@viveksinghggits 2 жыл бұрын

Hi 👋, That's a good question. I am not sure if there is a command kubectl certificate deny That can be used to revoke the access, like we used kubectl certificate approve to approve the access. Yeah, so I am not sure. You will have to figure that out.

@Zeid_Al-Seryani 2 жыл бұрын

@@viveksinghggits I have searched this in kubernetes documentations, I think the only way to do that is to delete the rolebinding / roleBinding created for this user, but the user will still be able to authenticate to the cluster but without any permissions, (as seen in your video before creating the role and role binding ) I think this is the only way to revoke authorization while you are unable to revoke the authentication Best Wishes Dear.

@viveksinghggits 2 жыл бұрын

Yeah, you are right. I will keep this in mind and get back to you if I find something.

@Zeid_Al-Seryani 2 жыл бұрын

@@viveksinghggits Do you recommend any mock exams to prepare me before CKA Thank you

@viveksinghggits 2 жыл бұрын

I think the udemy course by Mumshad is pretty good.