I need to create users to assign them permissions with RBAC, I create them as follows:

echo -n "lucia" | base64
bHVjaWE=
echo -n "pass" | base64
cGFzcw==

apiVersion: v1
kind: Secret
metadata:
  name: lucia-secret
type: Opaque
data:
  username: bHVjaWE=
  password: cGFzcw==

Or create with:

kubectl create secret generic lucia-secret --from-literal=username='lucia',password='pass'

I don't know how to continue

USER_NICK=lucia

kubectl config set-credentials $USER_NICK \
    --username=lucia \
    --password=pass

kubectl get secret lucia-secret -o json | jq -r '.data["ca.crt"]' | base64 -d > ca.crt

endpoint=`kubectl config view -o jsonpath="{.clusters[?(@.name == \"$name\")].cluster.server}"`

kubectl config set-cluster cluster-for-lucia \
  --embed-certs=true \
  --server=$endpoint \
  --certificate-authority=./ca.crt

kubectl config set-context context-lucia \
  --cluster=cluster-for-lucia \
  --user=$USER_NICK \
  --namespace=default

ca.crt is null

Thank you for your help!

As kubernetes docs and Articles uses certificate to create or authenticate users for kubectl client. However there is one easy way to do it by using ServiceAccount. One can use ServiceAccount as a group to provide RBAC control authentication and it is very easy and descriptive. Here are the steps. All the steps i am executing is in default namespace. I am going to create a pod readonly user which can get,list,watch any pod in all namespaces.

• Create a ServiceAccount, say 'readonlyuser'.

  kubectl create serviceaccount readonlyuser

• Create cluster role, say 'readonlyuser'.

  kubectl create clusterrole readonlyuser --verb=get --verb=list --verb=watch --resource=pods

• Create cluster role binding, say 'readonlyuser'.

  kubectl create clusterrolebinding readonlyuser --serviceaccount=default:readonlyuser --clusterrole=readonlyuser

• Now get the token from secret of ServiceAccount we have created before. we will use this token to authenticate user.

  TOKEN=$(kubectl describe secrets "$(kubectl describe serviceaccount readonlyuser | grep -i Tokens | awk '{print $2}')" | grep token: | awk '{print $2}')

• Now set the credentials for the user in kube config file. I am using 'vikash' as username.

  kubectl config set-credentials vikash --token=$TOKEN

• Now Create a Context say podreader. I am using my clustername 'kubernetes' here.

  kubectl config set-context podreader --cluster=kubernetes --user=vikash

• Finally use the context .

  kubectl config use-context podreader

And that's it. Now one can execute kubectl get pods --all-namespaces. One can also check the access by executing as given:

~ : $ kubectl auth can-i get pods --all-namespaces
yes
~ : $ kubectl auth can-i create pods
no
~ : $ kubectl auth can-i delete pods
no

In this guide you can find how to configure a user for your cluster: https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/#use-case-1-create-user-with-limited-namespace-access

Long story short:

• Create certificates for the user
• Create a certificate sign request
• Sign the certificate with the cluster certificate authority
• Create a configuration for your user
• Add RBAC rules for this user or its group

Regarding the ca.crt, you need to find it in your master host.

Edited: In the case of GKE, check here https://cloud.google.com/container-engine/docs/iam-integration

A little late update for what worked for me.
I needed also to filter out by namespaces, to give developers read-only access to main app resources, but not nodes, secrets, ingress-controllers, ingress or other namespaces.

Modify and apply the follwing YAML:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: sa-reader
  namespace: default

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: reader-cr
rules:
- verbs: ["get", "list", "watch"]
  resources: 
  - namespaces
  - services
  - endpoints
  - pods
  - deployments
  - configmaps
  - jobs
  - cronjobs
  - daemonsets
  - statefulsets
  - replicasets
  - persistentvolumes
  apiGroups: ["","apps","batch"]
- verbs: ["create", "delete"]
  resources: ["pods"]
  apiGroups: [""]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-tuxerrante-pods-rb
  namespace: tuxerrante
subjects:
- kind: ServiceAccount
  name: sa-reader
  namespace: default
roleRef:
  kind: ClusterRole
  name: reader-cr
  apiGroup: rbac.authorization.k8s.io

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-tuxerrante-round-pods-rb
  namespace: tuxerrante-round
subjects:
- kind: ServiceAccount
  name: sa-reader
  namespace: default
roleRef:
  kind: ClusterRole
  name: reader-cr
  apiGroup: rbac.authorization.k8s.io

# THIS WILL APPEND CONFIGURATIONS TO YOUR CURRENT KUBECONFIG
$ TOKEN=$(kubectl describe -n default secrets "$(kubectl describe -n default serviceaccount sa-reader | grep -i Tokens | awk '{print $2}')" | grep token: | awk '{print $2}')
$ kubectl config set-credentials reader-user --token=$TOKEN
$ kubectl config set-context cluster-reader --cluster=cluster-svil --user=reader-user

# I PREFER TO COPY THE PREVIOUS NEW CONFIG IN A NEW FILE AND THEN USE IT
# 
$ export KUBECONFIG=~/.kube/tuxerrante-reader.kubeconfig
$ kubectl config use-context cluster-reader
$ kubectl auth can-i get pods --all-namespaces
$ kubectl auth can-i create pods
$ kubectl auth can-i delete pods
$ kubectl -n tuxerrante get pods