Mobile
Streaming Platform Products
Virtual & Dedicated Servers Products
Containers Products
Serverless Computing Products
AI & Machine Learning Products
Private and Hybrid Solutions Products
Monitoring Products
Custom Services Products
Media & Entertainment
Financial Services
IT / Technology
Retail
Education
Website Acceleration
Video Streaming
Security & Protection
Cloud
Partnership Solutions
Corporate Solutions
There are 3 steps that Kubernetes uses to enforce security access and permissions – Authentication, Authorization and Admission. In this article we are going to consider Authentication first.
The first thing in Authentication is Identity.
a. In production environments it can be LDAP (Lightweight Directory Access Protocol), SSO (Single-Sign On), Kerberos or SAML (Security Assertion Markup Language) for identity management.
b. In development or test environments, other Authentication Strategies may be employed.
Kubernetes uses authenticating proxy, bearer tokens, client certificates, or HTTP basic authorization to authenticate API requests through authentication plugins. As HTTP request are made to the API Server, plugins attempt to associate the following attributes with the request:
All of these values are opaque to the authentication system and only hold significance when interpreted by an authorizer
. Kubernetes administrators typically enable multiple authentication methods. The two minimal methods required are – Service account tokens for service accounts and at least one other method of user authentication.
--client-ca-file=<FILE>
option to the API server.For instance, using the openssl
command line tool to generate a certificate signing request:
openssl req -new -key <pem_file>.pem -out <out-csr-file>.pem -subj "/CN=admin/O=prod/O=dev/O=uat"
This would create a CSR (Certificate Signing Request) for the username admin
, belonging to three groups: prod
, dev
and uat
The API server reads bearer tokens from a file when given the --token-auth-file=<FILENAME>
option on the command line. Today, tokens last indefinitely, and the token list cannot be changed without restarting the API server. The token file is a CSV
file with a minimum of 3 columns: token, user name, user uid
, followed by optional group names.
token, user, uid,"prod,dev,uat"
Note: If you have more than one group, the column must be double quoted.
When using bearer token authentication from an HTTP client, the API server expects an Authorization
header with a value of Bearer <Token>
. The bearer token must be a character sequence that can be put in an HTTP header value using no more than the encoding and quoting facilities of HTTP. For instance, if the bearer token is ad644f3f-bfch-295b-75bk-h9g8ngf36hb6
, then it would appear in an HTTP header as shown below:
Authorization: Bearer ad644f3f-bfch-295b-75bk-h9g8ngf36hb6
Basic authentication is enabled by passing the --basic-auth-file=<FILENAME>
option to the API server. Now, the basic auth credentials last indefinitely, and the password cannot be changed without restarting the API server.
The basic auth file is a csv
file with a minimum of 3 columns: password, user name, user id
. In Kubernetes version 1.6 and later, you can specify an optional 4th column containing comma-separated group names. If you have more than one group, you must enclose the 4th column value in double quotes (")
:
password,user,uid,"group1,group2,group3"
When using basic authentication from an HTTP client, the API server expects an Authorization
header with a value of:
Basic BASE64ENCODED(USER:PASSWORD)
A service account is an automatically enabled authenticator that uses signed bearer tokens to verify requests. The plugin takes 2 optional flags:
--service-account-key-file
--service-account-lookip
Service accounts are usually created automatically by the API server and associated with pods running in the cluster through the ServiceAccount
Admission Controller.
Bearer tokens are mounted into pods at well-known locations and allow in-cluster processes to talk to the API server. Accounts may be explicitly associated with pods using the serviceAccountName
field of a PodSpec
Note, serviceAccountName
is usually omitted because this is done automatically.
The following command may be used to create a ServiceAccount
:
kubectl create serviceaccount testuser
The created secret holds the public CA
of the API server and a signed JSON Web Token (JWT)
. To display the yaml
revealing the associated secret:
kubectl get serviceaccount testuser -o yaml
The command to display available tokens is:
kubectl get secrets
To obtain the encoded token data, you may enter:
kubectl get secret testuser-token-mgtnp -o yaml
You can take the encoded token data and copy-and-paste it at https://jwt.io/ to see the payload. To run a pod, use the editor of your choice to input the following yaml
file (test-pod.yaml
)
apiVersion: v1 kind: pod metadata: name: test-pod spec: serviceAccountName: testuser container: - name: alpine:3.7 command: - "sh" - "-c" - "sleep 100"
Then launch the pod with the following command:
kubectl apply -f test-pod.yaml
Use the describe
verb to look at it more closely:
kubectl describe test-pod
Now, that we have a running pod named test-pod
, let’s get in to the interactive mode and run a shell:
kubectl exec -it test-pod -- sh
This is similar to a docker command if you want to run a shell within a docker container. At that point, we are going to have a prompt and we are inside our Alpine Linux system that is running in a container that is within our pod. In order to open the Token that was copied into the container you have to run the following command:
cat /var/run/sercrets/kubernetes.io/serviceaccount/token
Copy the output and paste that token in the Encoded side on https://jwt.io/. On another side you will get the type of token, namespace, ServiceAccount name, Secret name, etc.
This pretty much illustrates to you in a very visual way how Kubernetes is carrying the identification and authentication payload in the token.