Create a user for Kubernetes cluster

Generate a key and csr
Key:

openssl genrsa -out dmitri.key 2048

CSR:

openssl req -new -key dmitri.key -out dmitri.csr

leave everything defauls, only change Common Name:

Common Name (e.g. server FQDN or YOUR name) []:dmitri

Get the base64 encoding string for the next step:

cat dmitri.csr | base64 | tr -d "\n"

Create CSR manifest:

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: dmitri
spec:
  request: string-here # put here string from previous step
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 31536000  # one year
  usages:
  - client auth

Use kubectl to create a CSR and approve it:

kubectl apply -f csr.yaml
kubectl get csr
kubectl certificate approve dmitri

Get the certificate:

kubectl get csr dmitri -o yaml
kubectl get csr dmitri -o jsonpath='{.status.certificate}'| base64 -d > dmitri.crt

Add to kubeconfig.
Add user:

kubectl config set-credentials dmitri --client-key=dmitri.key --client-certificate=dmitri.crt --embed-certs=true

Add context:

kubectl config set-context dmitri --cluster=kubernetes --user=dmitri

Create role and rolebinding in default namespace:

kubectl create role limitedaccess --verb=create,get,list,update,delete --resource=pods
kubectl create rolebinding limitedaccess-binding-dmitri --role=limitedaccess --user=dmitri

change the context to myuser:

kubectl config use-context dmitri

Try out:

kubectl get po

You have limited rights. If you issue:

kubectl get po -n kube-system

you will get:

Error from server (Forbidden): pods is forbidden: User "dmitri" cannot list resource "pods" in API group "" in the namespace "kube-system"