In one of the task in Mock Exam for creation a user `jhon` and assigning permiss . . .

Santosh Kaluskar:
In one of the task in Mock Exam for creation a user jhon and assigning permissions using roles/rlebinding gets passed with following steps:
• create the CSR object using the .csr file decoding the content
• Approve the CSR
• create a Role
• create a rolebinding corrseponding to Role
But, I did not add the user to the kubeconfig .

What is the difference between adding the user to the kubeconfig vs the above steps I carried out?
The https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#add-to-kubeconfig|docs doesn’t speak much about this step.
Can someone please through some light on this.

Alistair Mackay:
In a normal workflow, a user requesting access creates their private key and CSR and sens the CSR to the cluster admin.
The cluster admin appoves the CSR and creates roles and bindings, then can send either the user + ca certificates, or an entire kubeconfig file back to the user.

Are you asking how you as a user would create the kubeconfig if you were given only the certificates?

Santosh Kaluskar:
Thanks for the reply.
I wanted to know, what’s the effect of:
The user csr is approved and provided with desired roles by the admin but not added to KubeConfig. Vs
The user being added to KubeConfig.

Santosh Kaluskar:
By adding the user to kubecon fig, does the user get Admin privileges?

Alistair Mackay:
No, the user only gets the privilege assigned to him by the RBAC created by the admin for that new user.
A kubeconfig file is merely a method of supplying credentials to a given server.
How powerful that credential is, is governed by RBAC (roles and bindings)

Alistair Mackay:
Once a CSR is approved, the only permission the new user has is to connect to the API server. He will get no information from it or be abl;e to deploy anything until roles and bindings are created

Santosh Kaluskar:
Ok. Got that. Thanks for clarifying. A user needs his own kubeconfig.

Alistair Mackay:
Correct

Alistair Mackay:
which will be in ~/.kube directory on his own laptop and contain only his cert

Santosh Kaluskar:
wrt exam, do we need to add the user to kubeconfig to complete the task? Because, the task in KK mock exam passes without adding it.

Alistair Mackay:
Creating a new kubeconfig from the cert should not be in exam.
Creating role and binding for user could be.
Checking permission with kubectl auth can-i to validate the permissions would work if that user did login with a kubeconfig

Santosh Kaluskar:
Got that, Thank you!