How to create Users in Kubernetes the right way?

I this post I will show you how you can create Users in Kubernetes the right way.

Parts of the K8S Security Lab series

Container Runetime Security

• Part1: How to deploy CRI-O with Firecracker?
• Part2: How to deploy CRI-O with gVisor?
• Part3: How to deploy containerd with Firecracker?
• Part4: How to deploy containerd with gVisor?
• Part5: How to deploy containerd with kata containers?

Advanced Kernel Security

• Part6: Hardening Kubernetes with seccomp
• Part6: Linux user namespace management wit CRI-O in Kubernetes

Container Network Security

• Part4: RKE2 Install With Calico
• Part4: RKE2 Install With Cilium

Secure Kubernetes Install

• Part1: Best Practices to keeping Kubernetes Clusters Secure
• Part2: Kubernetes Hardening Guide with CIS 1.6 Benchmark
• Part5: Kubernetes Certificate Rotation

User Security

• Part5: How to create kubeconfig?
• Part5: How to create Users in Kubernetes the right way?
• Part5: Kubernetes Single Sign-on with Pinniped OpenID Connect
• Part5: Kubectl authentication with Kuberos Depricated !!
• Part5: Kubernetes authentication with Keycloak and gangway Depricated !!
• Part5: kube-openid-connect 1.0 Depricated !!
• Part10: Using Admission Controllers
• Part8: Kubernetes Network Policy
• Part8: RKE2 Pod Security Policy
• Part7b: Kubernetes Pod Security Admission
• Part7b: Kubernetes: How to migrate Pod Security Policy to Pod Security Admission?
• Part7c: Pod Security Standards using Kyverno
• Part9: Kubernetes Cluster Policy with Kyverno
• Part11a: Image security Admission Controller
• Part11b: Image security Admission Controller V2
• Part11c: Image security Admission Controller V3
• Part12: Continuous Image security
• Part12: trivy-operator 1.0
• Part12: trivy-operator 2.1: Trivy-operator is now an Admisssion controller too!!!
• Part12: trivy-operator 2.2: Patch release for Admisssion controller
• Part12: trivy-operator 2.3: Patch release for Admisssion controller
• Part15a Image Signature Verification with Connaisseur
• Part15b Image Signature Verification with Connaisseur 2.0
• Part15c Image Signature Verification with Kyverno
• Part21: How to use imagePullSecrets cluster-wide??
• Part22: Automatically change registry in pod definition
• Part15c Central authentication with oauth2-proxy
• Part15c Secure your applications with Pomerium Ingress Controller
• Part15c CrowdSec Intrusion Detection System (IDS) for Kubernetes
• Part14: Kubernetes audit logs and Falco
• Part13: K8S Logging And Monitoring
• Part13: Install Grafana Loki with Helm3
• Part16a Backup your Kubernetes Cluster
• Part16b How to Backup Kubernetes to git?
• Part17a Kubernetes and Vault integration
• Part17b Kubernetes External Vault integration
• Part18a: ArgoCD and kubeseal to encript secrets
• Part18b: Flux2 and kubeseal to encrypt secrets
• Part18c: Flux2 and Mozilla SOPS to encrypt secrets
• Part19: ArgoCD auto image updater

Users in Kubernetes

All Kubernetes clusters have two categories of users: service accounts managed by Kubernetes, and normal users. Kubernetes does not have objects which represent normal user accounts. Normal users cannot be added to a cluster through an API call.

So how we choud create an user account?

Any user that presents a valid certificate signed by the cluster’s certificate authority (CA) is considered authenticated. So you need to create a certificate for you username.

Why I need a user account insted of service account?

A service account is wisible and its token can be mounted in to a pod so theat pod has the same privileges as you.

Generate new certificate

First, we have to generate a private key and a certificate signing request:

openssl genrsa -out devopstales.pem
openssl req -new -key devopstales.pem -out devopstales.csr -subj "/CN=devopstales"

devopstales well be my username. You can add your user to specific groups by addin them as groups like devops-groupe:

openssl req -new -key ivnilv.pem -out ivnilv.csr -subj "/CN=devopstales/O=devops-groupe"

Signing the certificate

Use the csr file for generating a CertificateSigningRequest object n Kubernetes:

cat devopstales.csr | base64 | tr -d '\n'

cat <<'EOF'> devopstales-csr.yaml
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: user-request-devopstales
spec:
  groups:
  - system:authenticated
  request: LS0tLS1CRUdJTi...
  usages:
  - digital signature
  - key encipherment
  - client auth
EOF

OR from Kubernetes v1.22 (in this example it will expire after 10 years):

cat devopstales.csr | base64 | tr -d '\n'

cat <<'EOF'> devopstales-csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: user-request-devopstales
spec:
  groups:
  - system:authenticated
  request: LS0tLS1CRUdJTi...
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 315569260
  usages:
  - digital signature
  - key encipherment
  - client auth
EOF

Create the CertificateSigningRequest and approve it. Then the Kubernetes api server will generate the certificate theat you can use to authentication.

kubectl create -f devopstales-csr.yaml
kubectl certificate approve user-request-devopstales

kubectl get csr
NAME                       AGE       REQUESTOR   CONDITION
user-request-devopstales   1m        admin       Approved,Issued

Now the certificate should be signed. You can download the new signed public key from the csr resource:

kubectl get csr user-request-devopstales -o jsonpath='{.status.certificate}' | base64 -d > devopstales-user.crt

Create new user config file

kubectl --kubeconfig ~/.kube/config-devopstales config set-cluster preprod --insecure-skip-tls-verify=true --server=https://KUBERNETES-API-ADDRESS
kubectl --kubeconfig ~/.kube/config-devopstales config set-credentials devopstales --client-certificate=devopstales-user.crt --client-key=devopstales.pem --embed-certs=true
kubectl --kubeconfig ~/.kube/config-devopstales config set-context default --cluster=preprod --user=devopstales
kubectl --kubeconfig ~/.kube/config-devopstales config use-context default

Ofcourse you need rbac for this user:

cat <<'EOF'> devopstales-rbac.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: devopstales-ns
spec: {}
status: {}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: devopstales
  namespace: devopstales-ns
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]
- apiGroups: ["batch"]
  resources:
  - jobs
  - cronjobs
  verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: devopstales
  namespace: devopstales-ns
subjects:
- kind: User
  name: devopstales
  apiGroup: rbac.authorization.k8s.io
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: devopstales
EOF

kubectl apply -f devopstales-rbac.yaml

Let’s test if the new kubeconfig we generated worked fine:

kubectl --kubeconfig ~/.kube/config-devopstales get pods

Conclusion

As we can see creating certificate for all the users is a hard task for the administratos if we hawe many users. A better solution to use an sso based authentication proxy like my Kubectl OpenID Connect.