Step‑by‑Step Guide to Create and Authorize Non‑Admin Users in Kubernetes

1. Authentication

kubectl works on the master node because it has the KUBECONFIG environment variable pointing to /etc/kubernetes/admin.conf, while other nodes lack this configuration.

# kubectl get nodes
E0220 12:50:15.695133    6091 memcache.go:238] can't get current server API group list: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused
The connection to the server localhost:8080 was refused - did you specify the right host or port?

On the master:

# env | grep -i kubeconfig
KUBECONFIG=/etc/kubernetes/admin.conf

Node operations

Copy the admin.conf to a worker node and use it with --kubeconfig to query the cluster.

# scp /etc/kubernetes/admin.conf node1:~
# kubectl get node --kubeconfig=admin.conf
NAME     STATUS   ROLES                  AGE   VERSION
master   Ready    control-plane,master   43d   v1.26.0
node1    Ready    node1                  43d   v1.26.0
node2    Ready    node2                  43d   v1.26.0

Persist the configuration on the node:

# echo "export KUBECONFIG=/root/admin.conf" >> /etc/profile

Create a regular user and grant permissions

1. Generate a private key

# openssl genrsa -out client.key 2048

2. Generate a CSR for user zhangsan

# openssl req -new -key client.key -subj "/CN=zhangsan" -out client.csr

3. Sign the certificate with the cluster CA

# openssl x509 -req -in client.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out client.crt -days 3650

4. Create a namespace and a pod

# kubectl create ns zhangsan
namespace/zhangsan created
# kubectl config set-context --current --namespace zhangsan
Context "kubernetes-admin@kubernetes" modified.
# kubectl run test01 --image nginx --image-pull-policy IfNotPresent
pod/test01 created

5. Create a Role

# kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods
role.rbac.authorization.k8s.io/pod-reader created

6. Bind the Role to the user

# kubectl create rolebinding zhangsan --role pod-reader --user zhangsan
rolebinding.rbac.authorization.k8s.io/zhangsan created

7. Edit the kubeconfig file

Reference: https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/

apiVersion: v1
kind: Config
clusters:
- cluster:
    server: https://192.168.200.200:6443
    certificate-authority: ca.crt
  name: cluster-zs
users:
- name: zhangsan
contexts:
- context:
    cluster: cluster-zs
    namespace: zhangsan
    user: zhangsan
  name: context-zs
current-context: context-zs

8. Embed certificates into the config

# kubectl config --kubeconfig=kube-zhangsan set-cluster cluster-zs --server=https://192.168.200.200:6443 --certificate-authority=ca.crt --embed-certs=true
Cluster "cluster-zs" set.
# kubectl config --kubeconfig=kube-zhangsan set-credentials zhangsan --client-certificate=client.crt --client-key=client.key --embed-certs=true
User "zhangsan" set.
# kubectl config --kubeconfig=kube-zhangsan set-context context-zs --cluster=cluster-zs --namespace=zhangsan --user=zhangsan
Context "context-zs" modified.

9. Verify the permissions

# kubectl get pods --kubeconfig=kube-zhangsan
NAME     READY   STATUS    RESTARTS   AGE
test01   1/1     Running   0          9m
# kubectl run test02 --image nginx --kubeconfig=kube-zhangsan
Error from server (Forbidden): pods is forbidden: User "zhangsan" cannot create resource "pods" in API group "" in the namespace "zhangsan"
# kubectl get ns --kubeconfig=kube-zhangsan
Error from server (Forbidden): namespaces is forbidden: User "zhangsan" cannot list resource "namespaces" in API group "" at the cluster scope

Static token login

1. Generate a token file

# openssl rand -hex 10 > jerry.csv
# cat jerry.csv
3127c2e2b863d4c23878a,jerry,2000

2. Add the token file to the API server

# vim /etc/kubernetes/manifests/kube-apiserver.yaml
... add "--token-auth-file=/etc/kubernetes/pki/jerry.csv" ...
# systemctl restart kubelet

3. Attempt to log in

# kubectl --server="https://192.168.200.200:6443" --token="3127c2e2b863d4c23878a" get pod -n default
Unable to connect to the server: x509: certificate signed by unknown authority
# kubectl --server="https://192.168.200.200:6443" --token="3127c2e2b863d4c23878a" get pod --insecure-skip-tls-verify=true -n zhangsan
Error from server (Forbidden): pods is forbidden: User "jerry" cannot list resource "pods" in API group "" in the namespace "zhangsan"

Role and RoleBinding

1. Create a Role

# kubectl create role jerry --verb=get --verb=list --verb=watch --resource=pods --dry-run=client -o yaml > jerry.yaml
# kubectl apply -f jerry.yaml
role.rbac.authorization.k8s.io/jerry created

2. Create a RoleBinding

# kubectl create rolebinding jerry --role=jerry --user=jerry --token="3127c2e2b863d4c23878a" --dry-run=client -o yaml > rolebinding.yaml
# kubectl apply -f rolebinding.yaml
rolebinding.rbac.authorization.k8s.io/jerry created

3. Verify access

# kubectl --server="https://192.168.200.200:6443" --token="3127c2e2b863d4c23878a" --insecure-skip-tls-verify=true -n zhangsan get pod
NAME     READY   STATUS    RESTARTS   AGE
test01   1/1     Running   0          4h24m

4. Add create permission to the Role

# edit jerry.yaml to add "create" under verbs
# kubectl apply -f jerry.yaml
role.rbac.authorization.k8s.io/jerry configured

5. Verify pod creation

# kubectl --server="https://192.168.200.200:6443" --token="3127c2e2b863d4c23878a" --insecure-skip-tls-verify=true -n zhangsan run test02 --image nginx
pod/test02 created

6. Add deployment permissions

# edit the role yaml to include resources: deployments and apiGroups: "apps"
# kubectl apply -f jerry.yaml
role.rbac.authorization.k8s.io/jerry configured
# kubectl --server="https://192.168.200.200:6443" --token="3127c2e2b863d4c23878a" --insecure-skip-tls-verify=true -n zhangsan create deployment test03 --image nginx
deployment.apps/test03 created

7. Add scale permission

# edit role to add resource "deployments/scale" and verb "patch"
# kubectl apply -f jerry.yaml
role.rbac.authorization.k8s.io/jerry configured
# kubectl --server="https://192.168.200.200:6443" --token="3127c2e2b863d4c23878a" --insecure-skip-tls-verify=true -n zhangsan scale deployment test03 --replicas 3
deployment.apps/test03 scaled

ClusterRole and ClusterRoleBinding

1. Create a ClusterRole

# kubectl create clusterrole cluster-pod --verb=get,list,watch --resource=pods --dry-run=client -o yaml > clusterrole.yaml
# kubectl apply -f clusterrole.yaml
clusterrole.rbac.authorization.k8s.io/cluster-pod created

2. Bind the ClusterRole to a user

# kubectl create clusterrolebinding cluster-tom --clusterrole=cluster-pod --user=tom --token="958a15cfa9431e088e0b"
clusterrolebinding.rbac.authorization.k8s.io/cluster-tom created

3. Verify cross‑namespace access

# kubectl --server="https://192.168.200.200:6443" --token="958a15cfa9431e088e0b" --insecure-skip-tls-verify=true -n zhangsan get pods
NAME                      READY   STATUS    RESTARTS   AGE
test01                    1/1     Running   0          6h29m
... (other pods) ...
# kubectl --server="https://192.168.200.200:6443" --token="958a15cfa9431e088e0b" --insecure-skip-tls-verify=true -n kube-system get pods
NAME                             READY   STATUS    RESTARTS   AGE
coredns-5bbd96d687-9tsbb         1/1     Running   38          42d
... (system pods) ...

This demonstrates that a ClusterRole grants permissions across all namespaces, while a regular Role is limited to a single namespace.