CentOS Stream 10: Add Normal Users

Add normal users with X509 client certificate authentication to a Kubernetes cluster on CentOS Stream 10.

May 24, 2026 5 min read
centoscentos-stream-10kubernetesk8scluster

Add normal users who can use the Kubernetes cluster.

In this example, a Kubernetes cluster is configured using four nodes as follows.

+----------------------+   +----------------------+
|  [ ctrl.srv.world ]  |   |   [ dlp.srv.world ]  |
|     Manager Node     |   |     Control Plane    |
+-----------+----------+   +-----------+----------+
        eth0|10.0.0.25             eth0|10.0.0.30
            |                          |
------------+--------------------------+-----------
            |                          |
        eth0|10.0.0.51             eth0|10.0.0.52
+-----------+----------+   +-----------+----------+
| [ node01.srv.world ] |   | [ node02.srv.world ] |
|     Worker Node#1    |   |     Worker Node#2    |
+----------------------+   +----------------------+

Create X509 Certificate

Generate a client certificate for a new user. Replace /CN=*** with the desired username:

openssl ecparam -name prime256v1 -genkey -out kubernetes.key
openssl req -new -key kubernetes.key -out kubernetes.csr -subj "/CN=serverworld"

Create CertificateSigningRequest

Encode the CSR and create the Kubernetes CSR resource:

CSR=$(cat kubernetes.csr | base64 | tr -d '\n')

cat <<EOF > serverworld-csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: serverworld-csr
spec:
  request: $CSR
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth
EOF

kubectl apply -f serverworld-csr.yaml

Approve and Export Certificate

Approve the CSR and export the certificate:

kubectl certificate approve serverworld-csr
kubectl get csr serverworld-csr -o jsonpath='{.status.certificate}' | base64 --decode > kubernetes.crt

Assign Cluster Role

Create a ClusterRoleBinding for the user. For cluster administrator privileges:

kubectl create clusterrolebinding serverworld --clusterrole=cluster-admin --user=serverworld

Create Kubeconfig

Generate a kubeconfig file for the new user:

SERVER=$(kubectl config view -o jsonpath='{.clusters[].cluster.server}')
CLUSTER=$(kubectl config view -o jsonpath='{.contexts[].context.cluster}')
ROOTCA=$(kubectl get cm kube-root-ca.crt -o jsonpath="{'data']['ca\.crt']}"| base64 | tr -d '\n')

kubectl config set-cluster kubernetes --server=$SERVER --kubeconfig=config
kubectl config set clusters.kubernetes.certificate-authority-data $ROOTCA --kubeconfig=config
kubectl config set-context kubernetes --cluster=$CLUSTER --user=serverworld --kubeconfig=config
kubectl config set-credentials serverworld --client-certificate=kubernetes.crt --client-key=kubernetes.key --kubeconfig=config
kubectl config use-context kubernetes --kubeconfig=config

The following three files should be provided to the user:

  • config
  • kubernetes.crt
  • kubernetes.key

Use as Normal User

Create a .kube directory under the user's home directory and place the received files:

mkdir -p ~/.kube
cp config ~/.kube/config
cp kubernetes.crt ~/.kube/
cp kubernetes.key ~/.kube/

Verify access:

kubectl get nodes