Authentication forms
Overview of authentication methods against the Kubernetes API server, including basic auth, token auth, and certificate-based authentication.
Authentication forms
Authentication against the Kubernetes API server
There are several ways to authenticate against the Kubernetes API server. The first two methods are deprecated and not recommended for production use.
--basic-auth-file=/path/to/some.csvand use this flag for kube-apiserver configuration (not recommended)--token-auth-file=/path/to/some.csvand use this flag for kube-apiserver configuration (not recommended)- Certificate-based authentication (recommended)
The following YAML defines a CertificateSigningRequest resource, which is the preferred way to request client certificates for user authentication in Kubernetes.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
cat csr.yaml
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: akshay
spec:
groups:
- system:authenticated
request: | LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFQYnlDNEZ4QS9zbWFQQ2crSUlOZXJYdGY2TDQ9Ci0t
LS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
signerName: kubernetes.io/kube-apiserver-client-kubelet
usages:
- digital signature
- key encipherment
- client auth
This post is licensed under CC BY 4.0 by the author.