Santosh:
Hey Team, During the certificate creation of a user using openssl what happens to the group names that I specify within the /OU field? suppose if I enter “system:masters” here, will this user automatically get access to that group without needing to create clusterbinding for the same user? Thanks
Alistair Mackay:
Hi,
Whilst it is true that system:masters allows full access to the cluster, it is considered a bad idea to make regular users a member of this group.
Additionally, you don’t create certificates for users via openssl. openssl is used to create a certificate signing request which is passed to the cluster administrator, who then creates a YAML manifest which lists any groups the user should be a member and includes the content of the CSR and applies that to the cluster using kubectl . The admin then approves the CSR and extracts the certificate to return to the user.
https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user
Santosh:
Hey @Alistair Mackay Thanks for your additional context. Can you also please respond to my actual question as well? I am really confused if adding the group names within the /OU fields of a CSR creation via openssl gives user access to the groups specified there?
Santosh:
If so, when to use /OU for getting access to groups over get access to groups via RoleBindings? Thanks
Alistair Mackay:
It is the cluster that actually builds the certificate for you. The CSR says to the cluster administrator “I would like access to the cluster”. The admin decides what groups you will have according to your role, and adds them to the groups field of the manifest that is sent to the cluster. If system:masters is included in that request, then yes the resulting cert should provide full access.
Key points
• You never create a certificate for a cluster user with openssl, only a signing request
• The cluster issues the actual certificate with the appropriate fields populated from the info in the manifest applied by the administrator
Alistair Mackay:
Full certificates are only ever created with openssl for cluster services when building a cluster from scratch “the hard way”