Intro

• Authentication defines who can access the K8s cluster.

• A K8s cluster is used by 4 types of users:

  • Admin - manage the cluster
  • Developers - develop and deploy applications on the cluster
  • End users - access the application deployed on the cluster
  • 3rd party applications - access the cluster for integrations

• The security for end users is managed by the application running on Pods. So, the security for them does not need to be managed at the cluster level. Admin and Developers access the cluster through User Accounts whereas the bots (3rd party applications) access the cluster through Service Account.

• User access is managed by the kube-apiserver. It authenticates the request before processing it.

  

• K8s does not manage user accounts natively like it manages service accounts. It relies on external solutions such as:

  • File containing list of usernames and passwords
  • File containing list of usernames and tokens
  • TLS Certificates
  • 3rd party IDP such as LDAP

Basic Authentication

When implementing basic authentication using a file containing usernames and passwords or token, we need to pass the basic-auth-file or token-auth-file to the kube-apiserver and restart it.

If the kube-apiserver is running as a service, update the service config and restart it. On the other hand, if the kube-apiserver is deployed as a pod through KubeAdmin, update the pod definition file which will automatically recreate the new pod.

The user can then authenticate to the kube-apiserver in the curl command as shown below.

In case of static token file, the authentication in the curl command happens as a bearer token.

We need to use volume mounting to store the password file in a location on the host and pass it to the kube-apiserver pod (in case of KubeAdmin setup)

apiVersion: v1
kind: Pod
metadata:
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-apiserver
      - --authorization-mode=Node,RBAC
      <content-hidden>
    - --basic-auth-file=/tmp/users/user-details.csv
    image: k8s.gcr.io/kube-apiserver-amd64:v1.11.3
    name: kube-apiserver
    volumeMounts:
    - mountPath: /tmp/users
      name: usr-details
      readOnly: true
  volumes:
  - hostPath:
      path: /tmp/users
      type: DirectoryOrCreate
    name: usr-details

<aside> ⛔ Managing user identities using a plaintext file is not the recommended way.

</aside>