Docs
kubernetes
Authentication

Authentication

Different users in Kubernetes

In a Kubernetes cluster, we have different users, for example,

  • administrators - who manage the cluster
  • developers - who deploy or test applications
  • end-users - who access the application running in the cluster
  • third-party applications or bots - that interact with the cluster for integration purpose

Authentication in Kubernetes

All user access is managed by the kube-apiserver. As mentioned before, the kube-apiserver is the front-end of the Kubernetes control plane. It authenticates the user and authorizes the user to perform the requested operation.

We have different ways to authenticate users in Kubernetes.

  • Client certificates
  • Static password file (Deprecated) - Contains a list of usernames and passwords
  • Static token file - Containers a list of usernames and tokens
  • Connect to an identity provider (third-party) - Like LDAP or Kerberos
  • Service account tokens

Static password file (Deprecated)

In this method, we will create a csv file with password, username, and user Id. This file will be passed to the kube-apiserver using the --basic-auth-file flag. You can find your kube-apiserver configuration file in /etc/kubernetes/manifests/kube-apiserver.yaml.

passwords.csv
# password, username, user Id, group (optional)
password1,joe_user,joe_userID
password1,joe_user,joe_userID,group1
  • You can also specify the fourth column as the group to which the user belongs, but it is optional.

To authenticate users, you can use the following command.

curl -v -k https://master-node-ip:6443/api/v1/pods -u "username:password"

Static token file

The concept is similar to the static password file. In this method, we will create a csv file with token, username, and user Id. This file will be passed to the kube-apiserver using the --token-auth-file flag.

tokens.csv
# token, username, user Id, group (optional)
mjpuauwabcnIXBicj12cnXoaS,joe_user,joe_userID
ajpuauwabcnIXBicj12cnXoaS,joe_user,joe_userID,group1

To authenticate users, you can use the following command.

curl -v -k https://master-node-ip:6443/api/v1/pods --header "Authorization: Bearer <replace-your-token>"
Backup and Restore MethodsPull image with secret