bookmark_borderAuthentication in Kubernetes

Kubernetes does not manage user accounts natively it relies on an external source like a file with user details or certificates or a third party identify service like LDAP to manage these users. So you can not create users for administrators and developers.

The Kubernetes cluster consists of multiple nodes physical or virtual and various components that work together.

  • Administrators that access the cluster to perform administrative tasks.
  • Developers that access the cluster to test or deploy applications.
  • Third-party applications access the cluster for integration purposes.

However, you can create service accounts using the Kubenetes API for third-party applications.

$ kubectl create serviceaccount service1
serviceaccount/service1 created
$ kubectl get serviceaccount
NAME       SECRETS   AGE
default    1         25d
service1   1         56s

All user access is managed by the API Server whether you are accessing the cluster through kubectl tool or the API directly.

kubectl
curl https://kube-server-ip:6443

all of these requests go through the Kube-apiserver. The kube-apiserver authenticates the requests before processing it.

There are different authentication mechanisms that can be configured.

  • a list of usernames and passwords in a static password file.
  • a list of usernames and tokens in a static token file.
  • authenticate using certificates.
  • third party authentication protocols like LDAP.

Auth Mechanisms – Basic

You can create a list of users and their passwords in a csv file and use that as the source for user information. The file has three columns password, username, and userid. when then pass the file name as an option to the kube-apiserver.

Add csv file in kube-apiserver.yaml.

password,developer,u0001,group1
password,administrator,u0002,group1
--basic-auth-file=user-details.csv
$ cat /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.168.56.2:6443
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=192.168.56.2
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
    - --insecure-port=0
    - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
    - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
    - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
    - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
    - --requestheader-allowed-names=front-proxy-client
    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
    - --requestheader-extra-headers-prefix=X-Remote-Extra-
    - --requestheader-group-headers=X-Remote-Group
    - --requestheader-username-headers=X-Remote-User
    - --secure-port=6443
    - --service-account-key-file=/etc/kubernetes/pki/sa.pub
    - --service-cluster-ip-range=10.96.0.0/12
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
    - --basic-auth-file=user-details.csv
***

If you setup the cluster using the kubeadm tool, then you must modify the kube-apiserver pod definition file. And Kubeadm tool will automatically restart the kube-apiserver once you update the file.

To authenticate using the basic credentials while accessing the apiserver specify the user and password in a curl command like this.

curl -v -k https://master-node-ip:6443/api/v1/pods -u "user1:password123"

static password file

password,developer,u0001,group1
password,administrator,u0002,group1

static token file

cGFzc3dvcmQ=,developer,u0001,group1
cGFzc3dvcmQ=,administrator,u0002,group1
--token-auth-file=user-token-details.csv
  • you can have a static token file instead of password you specify a token pass the token file as an option token-auth-file to the kube-api-server.
curl -v -k https://master-node-ip:6443/api/v1/pods --header "Authorization: cGFzc3dvcmQ="

A static file is not a recommended approach as it is insecure.

  • This is not a recommended authentication mechanism
  • Consider volume mount while providing the auth file in a Kubeadm setup.
  • Setup Role Based Authorization for the new users.

This is not recommended in a production environment. This is only for learning purposes.

A static file
ANOTE.DEV