I am creating a new user in my kubeadm kubernetes cluster named tote. so first I created a key:
openssl genrsa -out tote.key 2048
Then I created a CSR:
openssl req -new -key tote.key -subj "/CN=tote-admin" -out tote.csr
Finally, I am following kubernetes docs in here so:
A) I create a certificate signing request manifest:
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: tote
spec:
request: XXXXXX (based64 of the generated CSR)
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
B) Approve the CSR using kubectl:
kubectl certificate approve tote
C) Produce the crt certificate for tote user:
kubectl get csr tote -o jsonpath='{.status.certificate}'| base64 -d > tote.crt
Finally, when trying to list pods using apiserver url using tote user, it gives me error as the following:
curl https://172.31.127.100:6443/api/v1/pods --key tote.key --cert tote.crt --cacert /etc/kubernetes/pki/ca.crt
And the response:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "pods is forbidden: User \"tote-admin\" cannot list resource \"pods\" in API group \"\" at the cluster scope",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
Any help how to resolve this issue and allow user tote to access pods?
Looks your Auth working, but user doesn't have the necessary permissions. You need to create RBAC permissions for the user you use. Refer to Using RBAC Authorization
And also try capturing certs from the .kube/config file. Like client-key data :
echo -n "LS0....Cg==" | base64 -d > admin.key
Client-certificate-data :
echo -n "LS0...C==" | base64 -d > admin.crt
Certificate authority-data :
echo -n "LS0...g==" | base64 -d >ca.crt
Then use, curl https://172.31.127.100:6443 \ --key admin.key \ --cert admin.crt --cacert can.crt