Hi, After setting up a small cluster I want to enable other users (and a jenkins server runing outside the cluster) to access the Cluster and manage deployments, preferredly with an own namespace for each application consisting of multiple services.
So taking the information from https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/#use-case-1-create-user-with-limited-namespace-access and https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/ I figured out I have to create a user with this script: https://gist.github.com/henning/2dda0b704426c66e78e355703a8dc177 The problem is, when I try to run a command with this user/certificate, I keep getting errors - on the command line: "error: You must be logged in to the server (the server has asked for the client to provide credentials)" and even if this sounds like the client didn't even send a certificate, in the log of the api server it says: "E0926 22:00:34.165133 5 authentication.go:58] Unable to authenticate the request due to an error: x509: certificate specifies an incompatible key usage" so actually it seems like the client sends a certificate, but it's somehow not correct/sufficient. I searched the web to find out what to do about it and tried multiple things(for example adding an Usage extension to the CSR, switched between creating the key and certificate request with the openssl client as well as cfssl, and with different versions of openssl on MacOS and Linux) - all with the same result. So, my questions: * any further thing I can check for to solve this? * is the way I try to do it generally right, or would it be better/easier to create a password file like described here? https://kubernetes.io/docs/admin/authentication/#static-password-file Thanks in advance, and please let me know if there is any more information needed that I might have forgotten. Henning -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
