There are 3 steps that Kubernetes uses to enforce security access and permissions are: , and In this article we are going to consider Authentication first. Authentication Authorization Admission. The Authentication, Authorization and Admission Control Process The first thing in Authentication is . Identity Identity Kubernetes assumes that 'users' are managed outside of Kubernetes: a. In production environments it can be (Lightweight Directory Access Protocol), (Single-Sign On), or (Security Assertion Markup Language) for identity management. LDAP SSO Kerberos SAML b. In development or test environments, other Authentication Strategies may be employed. Kubernetes does not have a notion of a human user. Authentication Strategies Kubernetes uses authenticating proxy, bearer tokens, client certificates, or HTTP basic authorization to authenticate API requests through authentication plugins. As HTTP request are made to the API Server, plugins attempt to associate the following attributes with the request: : A string which identifies the end-user Username : A string which identifies the end-user and attempts to be more consistent and unique than a username UID : A set of string which associate users with a set of commonly grouped users Groups : A map of strings which holds additional information Authorizers might find useful Extra fields All of these values are opaque to the authentication system and only hold significance when interpreted by an . Kubernetes administrators typically enable multiple authentication methods. The two minimal methods required are - Service account tokens for service accounts and at least one other method of user authentication. authorizer X509 Client Certificates As of Kubernetes 1.4, client certificates can also indicate a user's group memberships using the certificate's organization fields. To include multiple group memberships for a user, include multiple organization fields in the certificate. Client certificate authentication is enabled by passing the option to the API server. --client-ca-file=<FILE> The referenced file must contain one or more certificate authorities to use to validate client certificates presented to the API server. If a client certificate is presented and verified, the common name of the subject is used as the user name for the request. For instance, using the command line tool to generate a certificate signing request: openssl openssl req -new -key <pem_file>.pem -out <out-csr-file>.pem -subj "/CN=admin/O=prod/O=dev/O=uat" This would create a CSR (Certificate Signing Request) for the username admin, belonging to three groups: , and . prod dev uat Static Token File The API server reads bearer tokens from a file when given the option on the command line. Today, tokens last indefinitely, and the token list cannot be changed without restarting the API server. The token file is a file with a minimum of 3 columns: , followed by optional group names. --token-auth-file=<FILENAME> CSV token, user name, user uid token, user, uid, "prod,dev,uat" If you have more than one group, the column must be double quoted. Note: Putting a Bearer Token in a Request When using bearer token authentication from an HTTP client, the API server expects an header with a value of . The bearer token must be a character sequence that can be put in an HTTP header value using no more than the encoding and quoting facilities of HTTP. For instance, if the bearer token is , then it would appear in an HTTP header as shown below: Authorization Bearer <Token> ad644f3f-bfch-295b-75bk-h9g8ngf36hb6 Authorization: Bearer ad644f3f-bfch-295b-75bk-h9g8ngf36hb6 Static Password File Basic authentication is enabled by passing the option to the API server. Now, the basic auth credentials last indefinitely, and the password cannot be changed without restarting the API server. --basic-auth-file=<FILENAME> The basic auth file is a file with a minimum of 3 columns: . In Kubernetes version 1.6 and later, you can specify an optional 4th column containing comma-separated group names. If you have more than one group, you must enclose the 4th column value in double quotes : csv password, user name, user id (") password,user,uid, "group1,group2,group3" When using basic authentication from an HTTP client, the API server expects an header with a value of: Authorization Basic BASE64ENCODED(USER:PASSWORD) Service Account Tokens A service account is an automatically enabled authenticator that uses signed bearer tokens to verify requests. The plugin takes 2 optional flags: --service-account-key-file A file containing a PEM-encoded key for signing bearer tokens. If unspecified, the API server's TLS private key will be used --service-account-lookup If enabled, tokens which are deleted from the API server will be revoked Service accounts are usually created automatically by the API server and associated with pods running in the cluster through the Admission Controller. ServiceAccount Bearer tokens are mounted into pods at well-known locations and allow in-cluster processes to talk to the API server. Accounts may be explicitly associated with pods using the field of a . serviceAccountName PodSpec Note, is usually omitted because this is done automatically. serviceAccountName Exercise Working with ServiceAccount Tokens The following command may be used to create a : ServiceAccount kubectl create serviceaccount testuser The created secret holds the public CA of the API server and a signed . To display the revealing the associated secret: JSON Web Token (JWT) yaml kubectl get serviceaccount testuser -o yaml The command to display available tokens is: kubectl get secrets To obtain the encoded token data, you may enter: kubectl get secret testuser-token-mgtnp -o yaml You can take the encoded token data and copy-and-paste it at to see the payload. To run a pod, use the editor of your choice to input the following file ( ). https://jwt.io/ yaml test-pod.yaml apiVersion: v1 kind: pod metadata: name: -pod spec: serviceAccountName: testuser container: - name: alpine:3.7 : - - - test command "sh" "-c" "sleep 100" Then launch the pod with the following command: kubectl apply -f -pod.yaml test Use the verb to look at it more closely: describe kubectl describe -pod test Now, that we have a running pod named , let's get into the interactive mode and run a shell: test-pod kubectl -it -pod -- sh exec test This is similar to a docker command if you want to run a shell within a docker container. At that point, we are going to have a prompt and we are inside our Alpine Linux system that is running in a container that is within our pod. In order to open the Token that was copied into the container you have to run the following command: cat /var/run/sercrets/kubernetes.io/serviceaccount/token Copy the output and paste that token in the Encoded side on . On another side you will get the type of token, namespace, ServiceAccount name, Secret name, etc. https://jwt.io/ This pretty much illustrates to you in a very visual way how Kubernetes is carrying the identification and authentication payload in the token. About the author - Sudip is a Solution Architect with more than 15 years of working experience, and is the founder of Javelynn . He likes sharing his knowledge by regularly writing for Hackernoon , DZone , Appfleet and many more. And while he is not doing that, he must be fishing or playing chess. Previously posted at https://appfleet.com/ .
