Kubernetes authentication strategies uses following…
- Client certificates
- Bearer tokens
- An authenticating proxy
- HTTP basic auth to authenticate API requests through authentication plugins.
- LDAP
- SAML
- Kerberos, alternate x509 schemes
You can enable multiple authentication methods at once. You should usually use at least two methods:
- service account tokens for service accounts
- at least one other method for user authentication.
What is X509 Client Certs?
X509 Client Certs is one of the authentication method based on “Client certificates”. Client certificate authentication is enabled by passing the –client-ca-file=SOMEFILE option to API server.
The referenced file must contain one or more “certificate authorities” to use to validate client certificates presented to the API server. If a client certificate is presented and verified, the common name of the subject is used as the user name for the request.
Kubernetes provides a certificates.k8s.io API, which lets you provision TLS certificates signed by a Certificate Authority (CA) that you control. These CA and certificates can be used by your workloads to establish trust.
To create a TLS certificate for a Kubernetes service accessed through DNS or for other users, following steps must be performed.
Step 1 – Generate a private key using openssl or CFSSL
Step 2 – Create a Certificate Signing Request(csr) using openssl or CFSSL
Step 3 – Create a Certificate Signing Request object to send to the Kubernetes API using “kind: CertificateSigningRequest”
Step 4 – Approving filename.csr and generating auth key filename.crt
Step 5 – Set kubeconfig file using private key and filename.crt.
You can use “kubectl certificate” commands in Step 4.
kubectl certificate
Using this command, you can Modify certificate resources. such as
- Approve a certificate signing request
- Deny a certificate signing request
Approve a certificate signing request
kubectl certificate approve allows a cluster admin to approve a certificate signing request (CSR). This action tells a certificate signing controller to issue a certificate to the requestor with the attributes requested in the CSR.
$ kubectl certificate approve -f user.csr
Deny a certificate signing request
kubectl certificate deny allows a cluster admin to deny a certificate signing request (CSR). This action tells a certificate signing controller to not to issue a certificate to the requestor
$ kubectl certificate deny -f user.csr
I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services — all in one place.
Explore Hospitals