creating admin user in kubernetes

Question

I am creating a kubernetes admin user like this

openssl genrsa -out akash.key 2048
openssl req -new  -key akash.key   -out akash.csr -subj "/CN=akash/O=system:masters"
openssl x509 -req -in akash.csr -CA ../ca.crt  -CAkey ../ca.key  -out akash.crt  -days 100

and after creating certificates for akash user I can curl the cluster

 vagrant@master-1:~/akash$ curl https://192.168.5.30:6443/api/ --key akash.key --cert akash.crt --cacert ../ca.crt
    {
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "192.168.5.12:6443"
    }
  ]
}

Now I want to create user the other way i.e creating CSR object and approving it as admin user. When I do so and gets crt back and try to use the same , I get unauthorized user error

vagrant@master-1:~/akash$ curl https://192.168.5.30:6443/api/ --key akash.key --cert akash.crt --cacert ../ca.crt

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
}

Is there anything I need to do when generating a certificate by creating CSR object. Any specific permission to user akash.

When I created CSR req for this user I had already added it to system:masters group

working user certificate.

vagrant@master-1:~/akash$ cat akash1.crt
-----BEGIN CERTIFICATE-----
MIICyDCCAbACFBrnIr4F8DdpGznDqYb872p4uEUjMA0GCSqGSIb3DQEBCwUAMBgx
FjAUBgNVBAMMDUtVQkVSTkVURVMtQ0EwHhcNMjAwNTExMTQ0MjUzWhcNMjMwMjA1
MTQ0MjUzWjApMQ4wDAYDVQQDDAVha2FzaDEXMBUGA1UECgwOc3lzdGVtOm1hc3Rl
cnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6aD+/O12gHoOmzL6V
o7mILllq55DH9Tq3fsKB/MCR/6oBTEYyIBQoJB9eCMCFiGuHSuduljC/AZnDHKYP
LrC9748bZ3wzN22fXb6fVbRUT+IvwMgkBZn6Dp4LWwnM6wmHtDzx8Vo7zCaNAopS
dFDzo+IWBw4Xo0rkNJyE4FCe5nMXIxaukjoXf4PSVFsjfa9Tlud3N7Yn9V3dzpgj
aSUoO43duyybtFiYKn/6kahTI+NEIHSLL1N94Y+/5iJivMgKT/bd8Aet6gHId0ZQ
6N0OrAl7w6YyzUGG4jZ70s3KeIf0vzb2ta5jwucqZ6xhkEmCVY0czSoGNLXJJhZt
wSppAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAG1KYh2oqQQSqBo1M9aXuSYr909q
UN5ByB4PYQCErFiuXMEJOtnsGoSDFGbMHyxpIwuSb2VnHbMt7/fkVTfvP7hk1iyn
MKVG/Z3zUrVck2mtBDYXorMQdkZ9y5Ijqx5XF/XsXRfXmUK+EMzhYDN4XKBE+6P8
mtmu+WvIKpPtELlP+Pao1CHn+geQ24oeNCSM+GXTaGM8e5qzcoX5nvy2LiOwlyhx
onk/zpFKILHpek/fSbsx8iP0wf5dXfFBvkakYog5eD/7sjYB0T0P7VsM3pLfVAmq
dBPPU65fqJ3L5s8ZC2ZxmFBRT0OZtpru1SLqLgatah5tuldIZfWrYbnB+7Q=
-----END CERTIFICATE-----

Non-working

vagrant@master-1:~/akash$ cat akash.crt
-----BEGIN CERTIFICATE-----
MIIDATCCAemgAwIBAgIRAIZyOKibuhX5IB+IY7+8Qo0wDQYJKoZIhvcNAQELBQAw
GDEWMBQGA1UEAwwNS1VCRVJORVRFUy1DQTAeFw0yMDA1MTExNDExMTZaFw0yMTA1
MTExNDExMTZaMCkxFzAVBgNVBAoTDnN5c3RlbTptYXN0ZXJzMQ4wDAYDVQQDEwVh
a2FzaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALpoP787XaAeg6bM
vpWjuYguWWrnkMf1Ord+woH8wJH/qgFMRjIgFCgkH14IwIWIa4dK526WML8BmcMc
pg8usL3vjxtnfDM3bZ9dvp9VtFRP4i/AyCQFmfoOngtbCczrCYe0PPHxWjvMJo0C
ilJ0UPOj4hYHDhejSuQ0nITgUJ7mcxcjFq6SOhd/g9JUWyN9r1OW53c3tif1Xd3O
mCNpJSg7jd27LJu0WJgqf/qRqFMj40QgdIsvU33hj7/mImK8yApP9t3wB63qAch3
RlDo3Q6sCXvDpjLNQYbiNnvSzcp4h/S/Nva1rmPC5ypnrGGQSYJVjRzNKgY0tckm
Fm3BKmkCAwEAAaM1MDMwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUF
BwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAIn/OeJQq6/jEWOU
uuIR8O2ebV2gPa3qKlxrkw5ZyyIk71P1D1KSolIVoVLTwnh507963uWWKsAb0pNW
q3avie7iYtZGj2TPIgPx8QcZ2Ar2n1qKqOHHRjJd0rXOXw13iEkPJ/KUgblH4E86
D0YrUULDWvfpydSfykQ3Tned0eh8/ZJsIfQAMnD2iZf3xPdOEhtem3CauXZrEWuR
F0wPPwrCHUjG1ClU0fq50dSrIYzutzh38Xk1Se0ALNKabimmhpp0fGdu1OUhUqPf
kPM/qyi03CQY+FbGudxukB0+FJoEtj8hwcIQET7lPdfhHuMJieo7vqxZ4FhzlYhz
oNrpBr8=
-----END CERTIFICATE-----

the strange thing is that both were created using same CA key and cert

adding CA cert also

 vagrant@master-1:~/akash$ cat ../ca.crt
-----BEGIN CERTIFICATE-----
MIICtzCCAZ8CFGTiCQl+EQWFhKo6UFU0/Y7mGCmZMA0GCSqGSIb3DQEBCwUAMBgx
FjAUBgNVBAMMDUtVQkVSTkVURVMtQ0EwHhcNMjAwNDI4MDk0MzI1WhcNMjMwMTIz
MDk0MzI1WjAYMRYwFAYDVQQDDA1LVUJFUk5FVEVTLUNBMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAlW6vDFBDWUXCs3Wmt5l3spTgp7Kwr0VfLv7Wry5x
gv1l2yEFhRbU6TKqPrNHY9n4HbcGI98ZnU2mpnWZ82fNYezHOeQbcVSu81S2YrUR
GhmhIZb8SIAKCJ8wvuKHcuJZwpUZ3UK5dG4ePXBnk256wC9CkmuDia8h7S/wzmLs
srBfzzv8xZmnno+qr/diFrDmCNvQfSrh67trreQGJ9P0E5eYsFgL0htpdSTSy2P8
YsWOg8JrE9HoOa4GLs4zDzaphlRWzGKV8isnnw8dvj9vD15KqFFy5efJEnq1FFrh
2VDhuDw4vspDCYlE00ZaZSFldzTzY1mGj8TKnZdvI9ZekQIDAQABMA0GCSqGSIb3
DQEBCwUAA4IBAQBgW3p8zwRy4qkHBHoyMz5RbCszH/YAJvN5onOmWdkTRPw/019L
dGX6Y0MjJLtTTU1v67rJkvTE/tmWeVLKra2YUwb9S3G5dxlxk0lhc1rxAEyw+qgr
wz1UO1+UETVG9Q0TEhg87txEDa8H23+NK8piY+A1bzj3wuthZSyr7fr1NJQLcpbE
fTqNKPG/3E1VVoLeohzy5pN2QNzsIMBjYeXFD+uJT/SHj/Kly6mgfV7BX8igICrN
PnMkTDE6MbY54oVjGatSp/uispTLqjarXX+FSAYucfIV8+OcHuI5oqpv1gJp1XJ+
OGjHYlL2WBM9rTQb1COmyMiqEpVnwv+jgyEC
-----END CERTIFICATE-----
vagrant@master-1:~/akash$

Arghya Sadhu · Accepted Answer

It seems the not working certificate is a server certificate because it has got TLS Web Server Authentication. It should be a client certificate.

openssl x509 -in nw.pem -noout -text

...

X509v3 extensions:
    X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
    X509v3 Extended Key Usage: 
        TLS Web Server Authentication
    X509v3 Basic Constraints: critical
        CA:FALSE

...

creating admin user in kubernetes

Answers (1)

Related Questions