CozyFex
Posts Tags Categories English
CozyFex

Contents

Kubernetes Authentication

CozyFex included in kubernetes k8s orchestration
   284 words   2 minutes 

Accounts

Accounts
All accounts is managed by kube-apiserver.
ServiceTypeForIntended To
ApplicationEnd UsersHumansApplication
KubernetesAdminsHumansGlobal(Names must be unique across all namespaces of a cluster)
KubernetesDevelopersHumansGlobal(Names must be unique across all namespaces of a cluster)
KubernetesService AccountsProcesses Run in PODsNamespace(Names must be unique in a namespace)

Admins and Developers

Create a user

1

kubectl create user user1

User list

1

kubectl list users

Service Accounts

Create a service account

1

kubectl create serviceAccount sa1

Service accounts list

1

kubectl list serviceAccount

Process

Auth Mechanisms

Mechanisms

TypeDescription
Static Password FileFile in Kubernetes
Static Token FileFile in Kubernetes
CertificatesExternal Certifications
Identity ServicesExternal Services

Managed by kube-apiserver

Auth Mechanisms Basic

Note
This is not a recommended authentication mechanism.
Consider volume mount while providing the auth file in a kubeadm setup.
Setup Role Based Authorization for the new users.

Static Password File

user-details.csv
1
2
3
4
5

password123,user1,u0001,group1
password123,user2,u0002,group1
password123,user3,u0003,group2
password123,user4,u0004,group2
password123,user5,u0005,group2
kube-apiserver.service

basic-auth-file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

ExecStart=/usr/local/bin/kube-apiserver \\
    --advertise-address=${INTERNAL_IP} \\
    --allow-privileged=true \\
    --apiserver-count=3 \\
    --authorization-mode=Node,RBAC \\
    --bind-address=0.0.0.0 \\
    --enable-swagger-ui=true \\
    --etcd-servers=https://127.0.0.1:2379 \\
    --event-ttl=1h \\
    --runtime-config=api/all \\
    --service-cluster-ip-range=10.32.0.0/24 \\
    --service-node-port-range=30000-32767 \\
    --v=2
    --basic-auth-file=user-details.csv
Password Authenticate User
1

curl -v -k https://master-node-ip:6443/api/v1/pods -u "user1:password123"

Static Token File

user-token-details.csv
1
2
3
4

KpjCVbI7rCFAHYPkByTIzRb7gu1cUc4B,user10,u0010,group1
rJjncHmvtXHc6MlWQddhtvNyyhgTdxSC,user11,u0011,group1
mjpOFIEiFOkL9toikaRNtt59ePtczZSq,user12,u0012,group2
PG41IXhs7QjqwWkmBkvgGT9glOyUqZij,user13,u0013,group2
kube-apiserver.service

--token-auth-file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

ExecStart=/usr/local/bin/kube-apiserver \\
    --advertise-address=${INTERNAL_IP} \\
    --allow-privileged=true \\
    --apiserver-count=3 \\
    --authorization-mode=Node,RBAC \\
    --bind-address=0.0.0.0 \\
    --enable-swagger-ui=true \\
    --etcd-servers=https://127.0.0.1:2379 \\
    --event-ttl=1h \\
    --runtime-config=api/all \\
    --service-cluster-ip-range=10.32.0.0/24 \\
    --service-node-port-range=30000-32767 \\
    --v=2
    --token-auth-file=user-token-details.csv
Token Authenticate User
1

curl -v -k https://master-node-ip:6443/api/v1/pods --header "Authorization: Bearer KpjCVbI7rCFAHYPkByTIzRb7gu1cUc4B"
Updated on 2021-05-19
Read Markdown
 kubernetessecurityauthentication
Back | Home