Adding A New Kubectl Client

In the previous article I outlined how to create a new user and assign it one of two roles, either a global or a namespace admin. In this post I'll show you how to setup a new client from scratch to make use of that new user.

Setting Up A New Client

Assuming the client machine hasn't connected to this cluster before you'll need to setup the configuration from scratch. You really only need kubectl which you can download and install from https://kubernetes.io/docs/tasks/tools/install-kubectl/. It's just a single binary, so in my example, I've downloaded it onto a windows host and added that folder to my $env:PATH variable.

PS C:\Users\mengland> kubectl config set-cluster kubernetes --server=https://10.9.176.25:6443 --certificate-authority=fake-ca-file

This should create a .kube folder and a config file with the basics if they didn't already exist. After that command the file should look like this:

PS C:\Users\mengland\.kube> Get-Content config
apiVersion: v1
clusters:
- cluster:
    certificate-authority: fake-ca-file
    server: https://10.9.176.25:6443
  name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []

I've grabbed the crt and key file created in the previous post. Let's add our user credentials:

PS C:\Users\mengland.EACANADA\.kube> kubectl config set-credentials mengland@kubernetes --client-certificate="$HOME\kubernetes\mengland.crt" --client-key="$HOME\kubernetes\mengland.key" --embed-certs=true
User "mengland@kubernetes" set.
PS C:\Users\mengland.EACANADA\.kube> Get-Content config
apiVersion: v1
clusters:
- cluster:
    certificate-authority: fake-ca-file
    server: https://10.9.176.25:6443
  name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users:
- name: mengland@kubernetes
  user:
    client-certificate-data: ...<long_encoded_cert>...
    client-key-data: ...<long_encoded_cert>...

You can see how this has updated the user section of the configuration file. Now we've got one last problem, our fake-ca-file certificate. You can point it to the actual cert file, which is available on the master server under /etc/kubernetes/pki/ca.crt but I like to keep the cert within the file. To do that we need to base64 encode the cert and place the contents in our config file:

[root@k8s-master ~]# cat /etc/kubernetes/pki/ca.crt | base64 -w 0
...<long_encoded_cert>...
PS C:\Users\mengland> notepad .kube/config

Modify the file with the following:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ...<long_encoded_cert>...
    server: https://10.9.176.25:6443
  name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users:
- name: mengland@kubernetes
  user:
    client-certificate-data: ...<long_encoded_cert>...
    client-key-data: ...<long_encoded_cert>...

Note the addition of -data as that allows us to use the base64 encoded key. You can find out more from https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/
Our last step is to set a context for the cluster and use it:

PS C:\Users\mengland.EACANADA> kubectl config set-context mengland@kubernetes --cluster=kubernetes --user=mengland@kubernetes
PS C:\Users\mengland.EACANADA> kubectl config use-context mengland@kubernetes
Switched to context "mengland@kubernetes"

The final result is a file that looks like this:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ...<long_encoded_cert>...
    server: https://10.9.176.25:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: mengland@kubernetes
  name: mengland@kubernetes
current-context: mengland@kubernetes
kind: Config
preferences: {}
users:
- name: mengland@kubernetes
  user:
    client-certificate-data: ...<long_encoded_cert>...
    client-key-data: ...<long_encoded_cert>...

You should be able to perform operations against the cluster now. A quick kubectl get pods or kubectl get pods -n monitoring, depending on the role you assigned, should succeed.