Hi
Yes you can use the build in CA in your cluster to create client certificates. Background information on how to use the CA: https://kubernetes.io/docs/concepts/cluster-administration/certificates/
Basically here is what I did:
Assuming I have a user.json like this:
{
"CN": "haugom",
"key": {
"algo": "rsa",
"size": 4096
},
"names": [{
"O": "haugom",
"email": "some@email"
}]
}
You can then generate a CSR for this. In this example I use cfssl to generate the CSR:
cfssl genkey user.json | cfssljson -bare client
You can now use kubectl to submit a CSR for your cluster:
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: haugom
spec:
groups:
- system:authenticated
- haugom
request: $(cat client.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- client auth
EOF
The request field is base64 encoded version of your csr file.
To view your CSR: kubectl get csr
To approve it:
kubectl certificate approve haugom
Decode it:
kubectl get csr haugom -o jsonpath='{.status.certificate}' | base64 -d > client.pem
You can now use the client-key.pem and client.pem to build a kubeconfig.
You can then create RBAC rolebindings on your cluster assigning to either –user=haugom or –group=haugom (assuming you used “O”: “haugom” like I did in this example)
/G
