Create SSL Certificates and Configure a New Kubernetes User with RoleBinding

Generate a Private Key

Set a restrictive umask and create a 2048‑bit RSA key:

(umask 077; openssl genrsa -out lucky.key 2048)

Create a Certificate Signing Request (CSR)

Use the private key to generate a CSR with the common name lucky:

openssl req -new -key lucky.key -out lucky.csr -subj "/CN=lucky"

Sign the Certificate

Sign the CSR with an existing CA certificate and key, creating a certificate valid for ten years:

openssl x509 -req -in lucky.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out lucky.crt -days 3650

Add the New User to kubeconfig

Register the certificate and key for the user lucky and embed the cert data:

kubectl config set-credentials lucky --client-certificate=./lucky.crt --client-key=./lucky.key --embed-certs=true

Create a context that uses this user and the existing cluster:

kubectl config set-context lucky@kubernetes --cluster=kubernetes --user=lucky

Switch to the new context:

kubectl config use-context lucky@kubernetes

Bind the User to a Cluster Role

Grant cluster-admin privileges to lucky within the lucky namespace:

kubectl create rolebinding lucky -n lucky --clusterrole=cluster-admin --user=lucky

Verify Permissions

List pods in the lucky namespace (should succeed): kubectl get pods -n lucky Attempt to list pods in the default namespace (should fail, confirming limited scope):

kubectl get pods

Create a Corresponding Linux User (Optional)

For convenience, create a system user and copy the kubeconfig files:

useradd lucky
cp -ar /root/.kube/ /home/lucky/
chown -R lucky.lucky /home/lucky/
su - lucky

After switching to the new Linux user, the same namespace‑restricted access can be verified:

kubectl get pods -n lucky