Archive of posts: June 24, 2020

article image

Authentication on Kubernetes, the easy way

service account / x509 certificate and kubeconfig. Deep dive into the common technics to authenticate someone / something on kubernetes

Kubernetes make a distinction between authentication and authorisation. This post focus on the authentication mechanism, authorisation which is done via Role, RoleBinding, ClusterRole and ClusterRoleBinding is a topic for another day. Kubectl is a convenience layer that speak to the API server. You can see those query being made with a verbose flag in kubectl. For instance: # kubectl get namespaces -v=6 -n default I0624 17:26:18.599399 39157 loader.go:375] Config loaded from file: /home/mickael/.kube/config I0624 17:26:19.575659 39157 round_trippers.go:443] GET https://116.203.202.210:6443/api/v1/namespaces?limit=500 200 OK in 966 milliseconds NAME STATUS AGE cert-manager Active 18d default Active 18d ... As you can see, kubectl use our kubeconfig file securely authenticate us to the API server. Without authentication, the api server refuse to do anything: # curl -I --insecure https://116.203.202.210:6443/api/v1/namespaces?limit=500 HTTP/2 403 cache-control: no-cache, private content-type: application/json x-content-type-options: nosniff content-length: 320 date: Wed, 24 Jun 2020 07:29:48 GMT Our query comes back with a 403 HTTP...

READ MORE