Create a user for Kubernetes cluster

Generate a key and csr
Key:

openssl genrsa -out dmitri.key 2048
CSR:
openssl req -new -key dmitri.key -out dmitri.csr
leave everything defauls, only change Common Name:
Common Name (e.g. server FQDN or YOUR name) []:dmitri
Get the base64 encoding string for the next step:
cat dmitri.csr | base64 | tr -d "\n"
Create CSR manifest:
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: dmitri
spec:
  request: string-here # put here string from previous step
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 31536000  # one year
  usages:
  - client auth
Use kubectl to create a CSR and approve it:
kubectl apply -f csr.yaml
kubectl get csr
kubectl certificate approve dmitri
Get the certificate:
kubectl get csr dmitri -o yaml
kubectl get csr dmitri -o jsonpath='{.status.certificate}'| base64 -d > dmitri.crt
Add to kubeconfig.
Add user:
kubectl config set-credentials dmitri --client-key=dmitri.key --client-certificate=dmitri.crt --embed-certs=true
Add context:
kubectl config set-context dmitri --cluster=kubernetes --user=dmitri
Create role and rolebinding in default namespace:
kubectl create role limitedaccess --verb=create,get,list,update,delete --resource=pods
kubectl create rolebinding limitedaccess-binding-dmitri --role=limitedaccess --user=dmitri
change the context to myuser:
kubectl config use-context dmitri
Try out:
kubectl get po
You have limited rights. If you issue:
kubectl get po -n kube-system
you will get:
Error from server (Forbidden): pods is forbidden: User "dmitri" cannot list resource "pods" in API group "" in the namespace "kube-system"