ETOOBUSY 🚀 minimal blogging for the impatient

Create a Kubernetes-ready user

· #kubernetes #shell

TL;DR

Easily create a Kubernetes-ready user with a basic script.

This program creates a new user’s credentials that are (well, should be) valid for a Kubernetes cluster where the CA certificate and key have a known position in the filesystem.

k8s-new-user 1.21 KiB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 
#!/bin/sh

die() { printf >&2 '%s\n' "$*"; exit 1; }

k8s_new_user() {
   local user="$1"
   shift
   [ -n "$user" ] || die "provide username and (optionally) groups"
   local csr="$user.csr"
   local key="$user.key"
   local crt="$user.crt"
   local cnf="$user.kubeconfig"

   local cn="/CN=$user"
   local group
   for group in "$@" ; do
      cn="$cn/O=$group"
   done

   local pki="${PKI:-"/etc/kubernetes/pki"}"
   local cacert="${CA_CERT:-"$pki/ca.crt"}"
   [ -r "$cacert" ] || die "invalid certificate '$cacert'"
   local cakey="${CA_KEY:-"$pki/ca.key"}"
   [ -r "$cakey" ] || die "invalid key file '$cakey'"

   openssl req -subj "$cn" -out "$csr" \
      -nodes -newkey "rsa:${RSA_BITS:-2048}" -keyout "$key"

   openssl x509 -req -in "$csr" -out "$crt" \
      -CA "$cacert" -CAkey "$cakey" -CAcreateserial \
      -days "${DAYS:-"$(( 365 * 10 + 3 ))"}"

   cp "${KUBECONFIG:-"$HOME/.kube/config"}" "$cnf"
   export KUBECONFIG="$cnf"
   kubectl config unset users.admin
   kubectl config set-credentials "$user" \
      --client-certificate="$crt" \
      --client-key="$key" \
      --embed-certs=true
   kubectl config set-context --current --user="$user"
   chmod og-rwx "$cnf"

   rm "$csr" "$crt" "$key"
}

k8s_new_user "$@"

Local version here.

Creating a user is only one half of the solution - it will then need to be associated with proper permissions through Roles and ClusterRoles and their respective bindings. Anyway… it’s a start.

Use it like this:

k8s-new-user <username> [<group> [<group> [...]]]

The output will be a file named <username>.kubeconfig that is suitable for being used instead of the default ~/.kube/config (e.g. it might be provided to the target user).

export KUBECONFIG="$PWD/$USERNAME.kubeconfig"
kubectl get pod ....

Using this script is not very secure because it makes sure to also generate the user’s private key. In a more secure process, each user would generate its own key/CSR pair and provide the CSR to the CA for signing.

Again… it’s a start 🤓

Comments? Octodon, , GitHub, Reddit, or drop me a line!

ETOOBUSY © 2025 by polettix ― Powered by Jekyll and the TextLog theme