You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In addition to the MKE Dashboard, users can use kubectl to access and manipulate the MKE 4 cluster. To use kubectl, each user needs a kubeconfig file. This article describes how MKE 4 cluster admins can create kubeconfig files for themselves or other users.
Comparison with MKE 3 client bundles
In MKE 3, users could download client certificate bundles that included a kubeconfig file in addition to certificate files used to configure Docker CLI. In MKE 4, there is no need for a bundle, just the kubeconfig file is sufficient as it already has all necessary certificates embedded.
In MKE 3, client bundles could be created by admin users for any other users, or by non-admin users only for themselves. Previously created client bundles could be viewed and revoked.
Currently, in MKE 4, only admin users are able to create kubeconfig files. Previously created kubeconfig files cannot be viewed or revoked. Thus, the expiration time of the certificates used in the kubeconfig files should be set appropriately.
Below is the table that lists all major differences between MKE 3 client bundles and MKE 4 kubeconfig files:
Feature
MKE 3 client bundles
MKE 4 kubeconfig files
Create by admins for other users
✅
✅
Create by admins for themselves
✅
✅
Create by non-admins for other users
❌
❌
Create by non-admins for themselves
✅
❌
View previously created bundles
✅
❌
Revoke previously created bundles
✅
❌
Set expiration time of certificates
❌
✅
Can be generated from MKE UI
✅
❌
Non-admin certs are issued by a separate CA that is trusted by kube API server, but not trusted by other components like kubelet
✅
❌
Create
The only way to create a kubeconfig file for a specific user is to run the shell script below as an admin user. You should run the script below from the same place where you previously configured your MKE 4 cluster with mkectl apply. Alternatively, you may run the script if another admin previously issued you a kubeconfig file with admin-level permissions.
If you haven't already, create a new user ("Access Control" -> "Users") and assign them a role ("Access Control" -> "Permissions")
In a terminal session where you are already able to use kubectl as an MKE 4 cluster administrator, set the following variables:
# username of the target user
USERNAME=
# expiration time in days
EXPIRES_IN_DAYS=7
# expiration time in seconds is automatically calculated from EXPIRES_IN_DAYS
EXPIRES_IN_SECONDS=$((EXPIRES_IN_DAYS *24*60*60))# the default kubeconfig location for MKE 4 clusters created by mkectl apply. Do not change unless you know what you're doing
KUBECONFIG=~/.mke/mke.kubeconf
Make sure you set the expiration time to a reasonable value. You will not be able to revoke the certificates used by the new kubeconfig file. The default value is 7 days.
Run the following commands in the terminal session. It will create a kubeconfig file in the same directory <username>.kubeconfig
You can now send the generated <username>.kubeconfig file to the target user. They can use it to access the MKE 4 cluster with kubectl --kubeconfig.
Warning
The certificates issued with these steps may be used to access kubelet because the signer we used to sign our certs is the same as the kubelet client CA. To prevent any security risks, admins should ensure that kubelet is not accessible from outside of the cluster.
List
Currently, there is no way to list previously created kubeconfig files.
Revoke
Currently, there is no way to revoke previously created kubeconfig files.
The text was updated successfully, but these errors were encountered:
byDimasik
changed the title
Client bundle docs
[BOP-1466] Client bundle docs
Nov 7, 2024
Since I heard it mentioned about the tedium of producing the kubeconfig files in the TOI just thought I'd drop a link to the script I created which will create the kubeconfig files for migrated MKE3 admins here for ease of reference:
The process is straightforward—just run the following command on a controller, and the kubeconfig is displayed in the standard output:
$ k0s kubeconfig create toto --groups dev
However, I don’t believe managing users via x509 certificates is an ideal approach for several reasons:
1. Lack of Integration with Dex
Users created this way have no correlation with Dex-managed users. It’s possible to generate x509 certificates for users who don’t exist in Dex, which feels inconsistent and awkward.
2. No Certificate Revocation
There’s no mechanism to revoke these certificates, which presents a significant security risk. For example, in MKE3, x509 certificates were also used, but if a user was deleted from MKE, they would automatically lose access to the cluster via their client bundle.
3. Limited and Inflexible Group Membership Management
While it’s possible to assign groups to a user during certificate issuance (e.g., by adding O= to the subject name), The user’s group membership is determined when the certificate is generated. This means any changes to the group structure or the user’s roles require issuing a new certificate, which is not practical for dynamic or large-scale environments.
Group membership must be managed by DEX, using whatever authentication configured by the customer : dex local users (which I'm not sure it can manage groups), LDAP, SAML, OIDC, ...
Description
In addition to the MKE Dashboard, users can use kubectl to access and manipulate the MKE 4 cluster. To use
kubectl
, each user needs a kubeconfig file. This article describes how MKE 4 cluster admins can create kubeconfig files for themselves or other users.Comparison with MKE 3 client bundles
In MKE 3, users could download client certificate bundles that included a kubeconfig file in addition to certificate files used to configure Docker CLI. In MKE 4, there is no need for a bundle, just the kubeconfig file is sufficient as it already has all necessary certificates embedded.
In MKE 3, client bundles could be created by admin users for any other users, or by non-admin users only for themselves. Previously created client bundles could be viewed and revoked.
Currently, in MKE 4, only admin users are able to create kubeconfig files. Previously created kubeconfig files cannot be viewed or revoked. Thus, the expiration time of the certificates used in the kubeconfig files should be set appropriately.
Below is the table that lists all major differences between MKE 3 client bundles and MKE 4 kubeconfig files:
Create
The only way to create a kubeconfig file for a specific user is to run the shell script below as an admin user. You should run the script below from the same place where you previously configured your MKE 4 cluster with
mkectl apply
. Alternatively, you may run the script if another admin previously issued you a kubeconfig file with admin-level permissions.Prerequisites
Steps
<username>.kubeconfig
<username>.kubeconfig
file to the target user. They can use it to access the MKE 4 cluster withkubectl --kubeconfig
.Warning
The certificates issued with these steps may be used to access kubelet because the signer we used to sign our certs is the same as the kubelet client CA. To prevent any security risks, admins should ensure that kubelet is not accessible from outside of the cluster.
List
Currently, there is no way to list previously created kubeconfig files.
Revoke
Currently, there is no way to revoke previously created kubeconfig files.
The text was updated successfully, but these errors were encountered: