k8s has service accounts but that's not what you want to create an admin account — equivalent to having root privileges on the cluster. Instead you simply need to create a certificate/key pair for the user and sign it with the master's CA (certificate authority).
In this example we'll create an account for user
- Create a private key:
openssl genrsa -out foobar.key 2048
For extra security you can also opt for 4096 bits for the key but for some reason
kopsdefaults to 2048 right now.
- Create a CSR (Certificate Signing Request)
openssl req -new -key foobar.key -out foobar.csr -subj '/CN=foobar/O=system:masters'
The CN (Common Name) contains the user name and the O (Organization Name) must be
system:mastersto be a super-user.
- Fetch the master's private key from S3, from the bucket
kopswas configured to use:
aws s3 sync $KOPS_STATE_STORE/$NAME/pki pki
Here the variables
$NAMEare the ones referred to in the kops documentation. For example:
aws s3 sync s3://prefix-example-com-state-store/myfirstcluster.example.com/pki pki
All the PKI files will be downloaded from S3 into the local
- Issue the certificate using the master's CA:
openssl x509 -req -in foobar.csr -CA pki/issued/ca/*.crt -CAkey pki/private/ca/*.key -CAcreateserial -out foobar.crt -days 3650
foobar.key) and the certificate (
foobar.crt) to the user, but if you want to be a bit nicer and generate a self-contained
kubectlconfig for them, here's how:
kubectl --kubeconfig=kcfg config \ set-credentials $NAME --client-key=foobar.key --client-certificate=foobar.crt --embed-certs=true kubectl --kubeconfig=kcfg config \ set-cluster $NAME --embed-certs=true --server=https://api.k8s.example.com --certificate-authority pki/issued/ca/*.crt kubectl --kubeconfig=kcfg config \ set-context $NAME --cluster=$NAME --user=$NAME kubectl --kubeconfig=kcfg config \ use-context $NAMEYou can then hand over the
kcfgfile to the user and they could use it directly as their
~/.kube/configif they don't already have one.
Don't forget to
rm -rf pkito delete the files you downloaded from S3.