Add users using certificates in a Kubernetes cluster


Kubernetes is an open-source container orchestration platform that simplifies the management and scaling of containerized applications. It provides a robust framework for automating the deployment, scaling, and monitoring of applications across a cluster of machines.

A Kubernetes cluster is a collection of interconnected nodes that work together to run containerized applications. The cluster consists of a control plane and worker nodes, allowing for efficient orchestration, scaling, and management of applications within the cluster.

This Answer will specifically cover the user creation process in Kubernetes using client certificates, which offer a secure authentication method for both users and services. Client certificates are widely utilized in the production of Kubernetes clusters to ensure enhanced security.

Note: A terminal is provided at the end of this Answer where you can try adding users in a Kubernetes cluster.

The following steps show how to add a user in a Kubernetes cluster:

Step #01: Create a cluster

To add a user to the cluster, we must have a cluster first. Execute the terminal provided at the end of this Answer, which runs the following command to create the cluster:

kind create cluster


Step #02: Generate a user key

The second step is to generate a secret private key using the OpenSSL command-line tool, a widely available utility on Unix-based systems. Run the following command in the terminal to generate the user key:

openssl genrsa -out user.key 2048

In this command, genrsa indicates the generation of an RSA key, -out user.key specifies the output file name as user.key—which will contain the generated key—and 2048 defines the key size as 2048 bits.

This command creates a private key that will be used for user authentication and encryption purposes in various security scenarios, such as generating client certificates for users in a Kubernetes cluster. The larger the key size, the stronger the encryption but it might also increase the computational overhead.

Step #03: Generate a certificate signing request (CSR)

Next, generate a CSR using the provided private key and save it as a CSR file. This file contains information such as the public key, distinguished name—including the Common Name (CN) and Organization (O)—and other details about the entity requesting the certificate. It serves as a formal request to a certificate authority (CA) to sign the CSR and issue a valid certificate. Run the following command to do so:

openssl req -new -key user.key -out user.csr -subj "/CN=<username>/O=<orgname>"

Note: Provide a new username and organization name in place of <username> and <orgname>.

In the above command, req indicates the generation of a CSR, -new specifies the creation of a new CSR, -key user.key specifies the private key file to be used, -out user.csr defines the output file where the CSR will be saved, and -subj "/CN=/O=" sets the subject information for the CSR, including the Common Name (CN) and Organization (O).

Step #04: Generate a self-signed CA key and certificate

The next step is to generate a CA key and certificate. A CA is a trusted entity that issues and manages digital certificates, which authenticate the identity of individuals, organizations, or devices in secure communication. By validating and signing these certificates, the CAs establish trust and enable secure encryption and authentication mechanisms within a public key infrastructure (PKI).

Generate the CA key

Generate the CA key using the following command:

openssl genrsa -out ca.key 2048

In this command, genrsa indicates the generation of an RSA key, -out ca.key specifies the output file name as ca.key—which will contain the generated key—and 2048 defines the key size as 2048 bits.

Generate the CA certificate

Generate the CA certificate using the following command:

openssl req -new -x509 -key ca.key -out ca.crt -days 3650 -subj "/CN=kubernetes-ca"

The command above generates a new CSR with the -new flag, then the -x509 flag instructs OpenSSL to create a self-signed certificate instead of a CSR. The -key ca.key specifies the private key file to be used, -out ca.crt defines the output file where the self-signed certificate will be saved, and -days 3650 sets the validity period of the certificate to 3650 days, which is approximately 10 years. The -subj flag allows us to define the certificate’s subject information. In this case, it is set to /CN=kubernetes-ca, specifying the Common Name (CN) as kubernetes-ca.

Step #05: Sign the user’s CSR

We have generated the CA certificate and key. Now, we can sign the user’s CSR to generate a digital certificate. Run the following command to do so:

openssl x509 -req -in user.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out user.crt

This command uses OpenSSL to generate a signed user certificate. It takes the user’s certificate from the user.csr signing request, the CA certificate from ca.crt, the CA’s private key from ca.key, and creates a user.crt signed certificate by the CA. The -CAcreateserial flag ensures a serial number file is created for the certificate.

Step #06: Generate a kubeconfig file

After creating the user certificate, the next step is to create a kubeconfig file. A kubeconfig file is a configuration file used by the Kubernetes command-line tool, kubectl, to specify the cluster—which we created in step #01—user, and context information required to interact with the cluster. It enables users to switch between different clusters and contexts easily and securely authenticate with the cluster.

Run the following command to create the kubeconfig file:

kubectl config set-credentials <username> --client-certificate=user.crt --client-key=user.csr --embed-certs=true

This command configures the credentials for a specific user in the kubeconfig file used by kubectl.

Note: Provide the same username created in step #03 in place of <username>.

Step #07: Verify the user

The last step is to verify if the user has been set up correctly. Run the following command to provide an overview of the configuration file’s contents, including the defined clusters, users, and contexts. If the created user is present in the users section, it means the user has been added to the cluster.

kubectl config view

By running this command, we can inspect and verify the contents of our kubectl configuration file.

Try yourself

Now, putting everything together, copy and run the following commands in the terminal provided below one by one:

# Step #01: Create a cluster
kind create cluster
# Step #02: Generate a user key
openssl genrsa -out user.key 2048
# Step #03: Generate a certificate signing request (CSR)
openssl req -new -key user.key -out user.csr -subj "/CN=<username>/O=<orgname>"
# Step #04: Generate a self-signed certificate authority (CA) key and certificate
openssl genrsa -out ca.key 2048
openssl req -new -x509 -key ca.key -out ca.crt -days 3650 -subj "/CN=kubernetes-ca"
# Step #05: Sign the user's CSR
openssl x509 -req -in user.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out user.crt
# Step #06: Generate a kubeconfig file
kubectl config set-credentials <username> --client-certificate=user.crt --client-key=user.csr --embed-certs=true
# Step #07: Verify the user
kubectl config view
Commands to be excecuted

The terminal is provided below to test the above-mentioned commands:

Terminal 1
Terminal
Loading...

Unlock your potential: Kubernetes Deployment and Advanced Operations series, all in one place!

To deepen your understanding of Kubernetes deployment and management, explore our series of Answers below:

Free Resources

Copyright ©2025 Educative, Inc. All rights reserved