Ceci Ivanov:
when new user is added on the linux for example user jean, first we need to authorise her with client certificates, who will generate the certificate and sign them using the kubernetes CA ? the root user of the linux?
Radoslaw Czajkowski:
you need to generate a CSR locally in linux for that user, and let the Certificate Authority from kubernetes issue the certificate for this CSR.
Radoslaw Czajkowski:
once you have a CSR generated, you can follow these steps to have the CSR signed by the CA and grab the generated certificate https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#create-certificatesigningrequest
Ceci Ivanov:
let’s say for example we have one cluster in our environment, and new developer comes with it’s personal linux PC, to get access to the cluster , who will generate this CSR for him?
Radoslaw Czajkowski:
the developer himself can generate the CSR on his own, he then creates a Certificate Signing Request in kubernetes (kind: CertificateSigningRequest) and a kubernetes admin can then approve the CSR (kubectl certificate approve myuser) and grab the generated certificate and send it to the user.
Ceci Ivanov:
and what about the config , how will be able the new user to get access to the cluster, who will set it’s context?
Alistair Mackay:
The administrator would provide the user with the certificate and the relevant details to allow the user to create the config with kubectl config commands