0

I am creating a new user in my kubeadm kubernetes cluster named tote. so first I created a key:

openssl genrsa -out tote.key 2048

Then I created a CSR:

openssl req -new -key tote.key -subj "/CN=tote-admin" -out tote.csr

Finally, I am following kubernetes docs in here so:

A) I create a certificate signing request manifest:

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: tote
spec:
  request: XXXXXX (based64 of the generated CSR)
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth

B) Approve the CSR using kubectl:

kubectl certificate approve tote

C) Produce the crt certificate for tote user:

kubectl get csr tote -o jsonpath='{.status.certificate}'| base64 -d > tote.crt

Finally, when trying to list pods using apiserver url using tote user, it gives me error as the following:

curl https://172.31.127.100:6443/api/v1/pods --key tote.key --cert tote.crt --cacert /etc/kubernetes/pki/ca.crt

And the response:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "pods is forbidden: User \"tote-admin\" cannot list resource \"pods\" in API group \"\" at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "kind": "pods"
  },
  "code": 403

Any help how to resolve this issue and allow user tote to access pods?

Khaled
  • 345
  • 5
  • 14

1 Answers1

1

  1. Looks your Auth working, but user doesn't have the necessary permissions. You need to create RBAC permissions for the user you use. Refer to Using RBAC Authorization

  2. And also try capturing certs from the .kube/config file. Like client-key data :

    echo -n "LS0....Cg==" | base64 -d > admin.key

Client-certificate-data :

echo -n "LS0...C==" | base64 -d > admin.crt

Certificate authority-data :

echo -n "LS0...g==" | base64 -d >ca.crt

Then use, curl https://172.31.127.100:6443 \ --key admin.key \ --cert admin.crt --cacert can.crt

KMS
  • 40
  • 4