Different ways to use rbac. How to limit the scope of a user in kubernetes namespace or give the user the whole cluster scope.


Create Specific Namespace Scoped Role

  1. First, needs to generate private key
openssl genrsa -out <name>.pem 2048
  1. Second, generate certificate signing request(.csr)
openssl req -new -key <name>.pem -out <name>.csr -subj "/CN=<name>"
  1. Now, needs to file a signing request to kubernetes CA. So that kubernetes CA can sign this request.
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
  name: user-request
  - system:authenticated
  request: <this field's value is base64 encoded the .csr file, which we generated previously.>
  - digital signature
  - key encipherment
  - client auth

  1. Now, create the CertificateSigningRequest by
kubectl apply -f <file-name of CertificateSigningRequest>
  1. Now, time to approve CertificateSigningRequest, which we created in previous step.
kubectl certificate approve user-request

this command signed the certificate.

  1. Now, download the signed certificate and save it in some file.
kubectl get csr user-request -o jsonpath='{.status.certificate}' | base64 -d > <name>.crt

  1. Now, set config context
kubectl config set-cluster <name> --insecure-skip-tls-verify=true --server=<server-url>
kubectl config set-credentials <name> --client-certificate=<name>.crt --client-key=<name>.pem --embed-certs=true
kubectl config set-context <name> --cluster=<name> --user=<name>
kubectl config use-context <nmae>
  1. Now, create cluterrole/role and cluterrolebinding/rolebinding.