Kubernetes: Generate Certificates for Normal Users Using Certificates API

Claire Lee
4 min readMar 23, 2023

--

Certificates API automates generating, signing, and managing certificates for Kubernetes components, making it easier for admins to manage user CSR. The process of creating client certificates for normal users involves generating a private key, creating a CSR, sending it to the admin, creating a CertificateSigningRequest object in Kubernetes, approving or rejecting the CSR, and providing the signed certificate to the user. Once the user receives the certificate, they can use it to authenticate to the cluster using client certificate authentication via curl or kubectl commands.

Create Client Certificates for Normal Users

In Kubernetes, it is not possible to add a normal user via an API call.

However, a user can be authenticated if they present a valid certificate that is signed by the cluster’s certificate authority. The username is determined by Kubernetes based on the common name field in the “subject” of the certificate.

Certificates API

Certificates API is a built-in feature in Kubernetes that enables administrators to automate the process of generating, signing, and managing certificates for various Kubernetes components. It provides an efficient way for administrators to manage user Certificate Signing Requests (CSRs) by allowing them to create, approve, and sign CSRs using Kubernetes API objects. This helps to simplify the process of managing certificates, especially when working with a large number of users or clusters.

Create Client Certificates for Normal Users

1. User generates a private key

A user generates a private key using a tool like OpenSSL. A private key is a cryptographic key that is used to sign and decrypt data.

$ openssl genrsa -out user.key 2048

This command generates a new private key named “user.key” with a length of 2048 bits.

user.key

2. User generates a Certificate Signing Request (CSR)

The user generates a Certificate Signing Request (CSR) using the private key generated in the previous step.

$ openssl req -new -key user.key -out user.csr -subj "/CN=username"

The -subj flag specifies the subject of the CSR, which should contain at least the Common Name (CN) of the user.

user.csr

3. User sends the CSR to the Admin

The user sends the CSR to the administrator who will be responsible for approving the request and signing the certificate.

4. Admin creates a CertificateSigningRequest object

The administrator creates a CertificateSigningRequest object in Kubernetes using a YAML manifest file that includes the details of the user’s CSR.

Generate base64-encoded CSR:

$ cat user.csr | base64 | tr -d "\n"

user-crt.yaml

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: user-csr
spec:
request: <base64-encoded-csr>
signerName: kubernetes.io/kubelet-apiserver-client
usages:
- digital signature
- key encipherment
- client auth

The request field should be set to the base64-encoded CSR generated by the user. The signerName field should be set to the name of the certificate signer that will be used to sign the certificate. The usages field should be set to the list of intended usages for the certificate, which in this case includes digital signature, key encipherment, and client authentication.

Create the CertificateSigningRequest object:

$ kubectl create -f user-crt.yaml

5. Admin approves or rejects the CSR

Get the list of CSRs:

$ kubectl get csr

Approve the CSR:

$ kubectl certificate approve user-csr

This command will sign the CSR using the appropriate signer and create a signed certificate object in Kubernetes.

Deny the CSR:

$ kubectl certificate deny user-csr

6. Admin provides the signed certificate to the User

Extract the signed certificate:

$ kubectl get csr user-csr -o jsonpath='{.status.certificate}'| base64 -d > user.crt
user.crt

The administrator provides the signed certificate to the user. With the signed certificate in hand, the user can now use it to authenticate to the Kubernetes cluster using client certificate authentication.

$ curl https://your-api-server.com/api/v1/namespaces/default/pods \
--cacert ca.crt
--cert user.crt
--key user.key
$ kubectl get pods 
--server=https://your-api-server.com
--certificate-authority=ca.crt
--client-certificate=user.crt
--client-key=user.key

--

--

Claire Lee
Claire Lee

Responses (4)