I've tried to create user accounts with a client certificate.
I followed two tutorials but stuck with both options in an error with the message
https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/
I set the right user, server and the right context. I set the namespace but still the same error.
> kubectl get pods
You must be logged in to the server (Unauthorized)
Did someone already experienced something similar? Or does someone knows what i'm doing wrong?
My k3s cluster version is 1.15.4.
I finally found my answer in this ticket.
https://github.com/rancher/k3s/issues/684
The user huapox posted the following code:
[root@(⎈ |default:default) sec-rbac]$ cat t2.sh
ws=/opt/sec-rbac
day=3650
clus_name="t1.k3s"
clus_ns="default"
user="koper"
#clus_url="https://10.200.100.183:7442"
clus_url="https://server:6443" ##
ca_path=$ws/server/tls
rm -f $ca_path/*-ca.srl
ctx=gen && mkdir -p $ws/$ctx/{kube,keys} && cd $ws/$ctx
#############
ca1=client-ca
generate="keys/u-"$user
echo -e "\033[32m#>>GEN-KEY\033[0m"
#openssl genrsa -out $generate.key 2048
openssl ecparam -name prime256v1 -genkey -noout -out $generate.key
openssl req -new -key $generate.key -out $generate.csr -subj "/CN=${user}@${clus_name}/O=key-gen"
openssl x509 -req -in $generate.csr -CA $ca_path/$ca1.crt -CAkey $ca_path/$ca1.key -CAcreateserial -out $generate.crt -days $day
#-----------
#generate=$ca_path/client-admin ##test
ca2=server-ca
embed=false
ctx2="$user@$clus_name"
config="kube/$user.kubeconfig"
echo -e "\033[32m#>>KUBE-CONFIG\033[0m"
kubectl --kubeconfig=$config config set-cluster $clus_name --embed-certs=$embed --server=$clus_url --certificate-authority=$ca_path/$ca2.crt
kubectl --kubeconfig=$config config set-credentials $user --embed-certs=$embed --client-certificate=$generate.crt --client-key=$generate.key
kubectl --kubeconfig=$config config set-context $ctx2 --cluster=$clus_name --namespace=$clus_ns --user=$user
kubectl --kubeconfig=$config config set current-context $ctx2
kubectl --kubeconfig=$config --context=$ctx2 get pods
Big thanks to huapox.