user2@server:~$ cat user2.req | base64 -w0
kube1:~/users# kubectl explain csr.spec.usages
kube1:~/users# cat user2.req.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: user2
spec:
request: LS0t...S0tCg==
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 8640000 # 100 * one day
usages:
# - digital signature
# - key encipherment
- client auth
kube1:~/users# kubectl apply -f user2.req.yaml
kube1:~/users# kubectl describe csr/user2
kube1:~/users# kubectl certificate approve user2
kube1:~/users# kubectl get csr
kube1:~/users# kubectl get csr/user2 -o yaml
kube1:~/users# kubectl get csr/user2 -o jsonpath="{.status.certificate}" | base64 -d | tee user2.crt
user2@server:~$ scp root@kube1:users/user2.crt .
user2@server:~$ kubectl config set-cluster cluster.local --insecure-skip-tls-verify=true --server=https://192.168.13.221:6443
user2@server:~$ cat .kube/config
user2@server:~$ kubectl config set-credentials user2 --client-certificate=user2.crt --client-key=user2.key --embed-certs=true
user2@server:~$ kubectl config set-context default-context --cluster=cluster.local --user=user2
user2@server:~$ kubectl config use-context default-context
user2@server:~$ kubectl auth whoami
user2@server:~$ kubectl get pods
Error from server (Forbidden)