Kubectl Access

Short-lived certificate for accessing a Kubernetes cluster via kubectl


Below we will describe how to configure the Kubectl to work with short-lived certificates to access the Kubernetes cluster using the Akeyless PKI Cert Issuer. The advantage of this approach is that there is no need to manage clients' certificates. Clients identify to the Akeyless account with one of the available Auth Methods and receive a short-lived certificate that can be used to access the Kubernetes cluster via kubectl.


  1. Upload the CA key together with the CA certificate of the Kubernetes cluster into your Akeyless account (in case you are using minikube they are located in ~/.minikube/ca.key and ~/.minikube/ca.crt)
akeyless upload-rsa --name myK8SCA --alg RSA2048 --rsa-key-file-path ~/.minikube/ca.key --cert ~/.minikube/ca.crt
  1. Create new PKI Cert Issuer:
akeyless create-pki-cert-issuer --name myK8SCertIssuer --signer-key-name myK8SCA --ttl 300 --allowed-domains minikube-user --organizations system:masters

In this case, we created an Issuer that will issue a certificate with an expiration time of up to 5 minutes with system:masters access permissions (As you can see in the RBAC Documentation the system:masters ClusterRoleBinding has full access as super-user).

  1. On the client-side, generate a client private key (note that this key is useless without a signed certificate)
openssl genrsa -out /home/user/kubectl-client.key 2048
  1. On the client-side, set the Kubeconfig file to work with the Akeyless PKI Cert Issuer in order to fetch the client access certificate as follow:
- name: minikube
      apiVersion: client.authentication.k8s.io/v1alpha1
      - get-kube-exec-creds
      - --cert-issuer-name
      - myK8SCertIssuer
      - --key-file-path
      - /home/user/kubectl-client.key
      - --common-name
      - minikube-user
      command: akeyless

Did this page help you?