Authentication
Identity
Concept |
Description |
User Accounts |
- For the API server to authenticate a request, the request issuer needs to possess an identity
- Kubernetes does not have objects which represent normal user accounts:
- it assumes that users are managed outside Kubernetes via LDAP, SSO, SAML, etc.
- user accounts are considered cluster-wide
- make sure that the usernames are unique across namespaces
|
Service Accounts |
Description:- Resource that you can use if your application needs to communicate with the API server
- Managed by the Kubernetes API
- Bound to specific namespaces
Default:- If you don't explicitly specify a service account in the pod spec, the default service account for the namespace is used
- General form:
system:serviceaccount:$NAMESPACE:$NAME Stored as Secret:- By default, Kubernetes makes the credentials of the service account available via a Secret that is mounted into the pod
- They allow in-cluster processes to talk to the Kubernetes API:
$ kubectl run -it --rm jumpod --restart=Never --image=alpine -- sh $ ls /var/run/secrets/kubernetes.io/serviceaccount/
ca.crt
namespace
service-ca.crt
token
- The
token file is a JSON Web Token, can be inspected using the debugger provided by jwt.io Using tokens:- The
token should be included when sending an API request - With this token, an attacker can impersonate the service account and use the APIs
$ curl -k -v -H "Authorization: Bearer <JWT_TOKEN>" -H "Content-Type: application/json" https://<MASTER-IP>:6443/api/v1/namespaces/default/secrets
|
Authentication
Concept |
Description |
Requests |
- Most interactions with Kubernetes are done by talking to the kube-apiserver of the control plane
- Requests pass through 3 steps in the kube-apiserver before the request is served or rejected:
- Authentication
- Authorization
- Admission Control
- Once requests pass these 3 steps, kube-apiserver communicates with Kubelets over the network
- Kubelets also have to check authentications and authorizations
|
Process |
Every process inside or outside the cluster must authenticate when making requests to the API server, or be treated as an anonymous user:- The client presents its credentials to the API server
- The API server uses one of the configured authentication plugins to establish the identity with an identity provider
- The identity provider verifies the request information, including username and group membership
- If the credentials are in order, the API server moves on to check permissions. Otherwise, it returns an HTTP 401 Unauthorized client error
 |
Strategies
Authentication strategies are represented by authentication plugins:
Concept |
Description |
Static Tokens |
- The API server requires the client to provide an Authorization HTTP header with value of Bearer $TOKEN
- Avoid them due to credentials being transmitted over the network in cleartext
|
Bootstrap Tokens |
- Experimental feature targeting the cluster setup phase and can be used with installers such as kubeadm
- Avoid them due to their non-ephemeral nature
|
Basic Authentication |
- Uses the Basic HTTP authentication scheme
- The API server requires the client to provide an Authorization HTTP header with value of
Basic base64(USER:PASSWORD) - Avoid them due to credentials being transmitted over the network in cleartext
|
X509 client certs |
- Every user has their own X.509 client certificate
- the API server then validates the client certificate via a configured certificate authority (CA)
- if the client certificate is verified successfully, the common name of the subject is used as the username for the request, and any organizations defined for the subject are used as groups
- admins need to manage access to the CA as well as issue the client certificates, and reissue them
- Decent authentication strategy, but you'd have to address renewing and redistributing client certs on a regular basis
|
Service Account Tokens |
- Should not be used for end-users trying to interact with Kubernetes clusters
- They are the preferred authentication strategy for applications & workloads running on Kubernetes
|
OpenID Connect (OIDC) Tokens |
- Identity layer on top of the OAuth 2.0
- Use OIDC to provide the API server with an id-token in the form of a JSON Web Token after using your provider's login page
- Best authentication strategy for end users as OIDC integrates with your identity provider (e.g. AD, AWS IAM, etc.)
|