The Akeyless Dev Hub

If you're looking for help with the only zero-trust, SaaS, unified platform for secrets management - you've come to the right place.

This is our documentation and updates center.


Kubectl Access

Short-lived certificate for accessing a Kubernetes cluster via kubectl


Below we will describe how to configure the Kubectl to work with short-lived certificates to access the Kubernetes cluster using the Akeyless PKI Cert Issuer. The advantage of this approach is that there is no need to manage clients' certificates. Clients identify to the Akeyless account with one of the available Auth Methods and receive a short-lived certificate that can be used to access the Kubernetes cluster via kubectl.


  1. Upload the CA key together with the CA certificate of the Kubernetes cluster into your Akeyless account (in case you are using minikube they are located in ~/.minikube/ca.key and ~/.minikube/ca.crt)
akeyless upload-rsa --name myK8SCA --alg RSA2048 --rsa-key-file-path ~/.minikube/ca.key --cert ~/.minikube/ca.crt
  1. Create new PKI Cert Issuer:
akeyless create-pki-cert-issuer --name myK8SCertIssuer --signer-key-name myK8SCA --ttl 300 --allowed-domains minikube-user --organizations system:masters

In this case, we created an Issuer that will issue a certificate with an expiration time of up to 5 minutes with system:masters access permissions (As you can see in the RBAC Documentation the system:masters ClusterRoleBinding has full access as super-user).

  1. On the client-side, generate a client private key (note that this key is useless without a signed certificate)
openssl genrsa -out /home/user/kubectl-client.key 2048
  1. On the client-side, set the Kubeconfig file to work with the Akeyless PKI Cert Issuer in order to fetch the client access certificate as follow:
- name: minikube
      - get-kube-exec-creds
      - --cert-issuer-name
      - myK8SCertIssuer
      - --key-file-path
      - /home/user/kubectl-client.key
      - --common-name
      - minikube-user
      command: akeyless

Updated 6 months ago

Kubectl Access

Short-lived certificate for accessing a Kubernetes cluster via kubectl

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.