Authentication
- Access to the cluster comes from these groups:
- Admins
- Developers
- Application End Users
- Bots - Service Accounts
- Will discuss how to secure access to the Kubernetes cluster with authentication mechanisms.
- Kubernetes does not manage user accounts natively.
- Kubernetes can create Service Accounts:
kubectl create serviceaccount sa1 - To get the number of generated service accounts:
kubectl get serviceaccount - All user access is managed by the
kube-apiserver.- This is either through the admin accessing via the
kubectltool or thekube-apiserverdirectly with acurlcommand like:curl https://kube-server-ip:6443
- This is either through the admin accessing via the
- The
kube-apiserverfirstlyAuthenticatesthe request and thenProcessesthe request. - Authentication Mechanisms are the following:
Static Password FileStatic Token FileCertificatesIdentity Services
- For
Static Password File, create a CSV file and store the information like so:password,user,user_id - The filename is then passed as an option to the
kube-apiserverusing--basic-auth-file=<file.csv> - Specify the
--basic-auth-fileoption in thekube-apiserver.servicefile. - Restart the
kube-apiserverfor the options to take effect. - If set up the cluster using the
kubeadmtool, must modify thekube-apiserver.yamlfile at/etc/kubernetes/manifests/kube-apiserver.yaml - The
kube-apiserverwill be updated automatically. - To authenticate using the basic credentials whilst accessing the
kube api-server, specify the user and password in acurlcommand like this:curl -v -k https://master-node-ip:6443/api/v1/pods -u "user1:password123" - In the user CSV file, can have a fourth option for
group idto assign users to specific groups. - A static token file can be also used and looks like this: ```