Kubernetes authentication strategies uses following…
- Client certificates
- Bearer tokens
- An authenticating proxy
- HTTP basic auth to authenticate API requests through authentication plugins.
- LDAP
- SAML
- Kerberos, alternate x509 schemes
You can enable multiple authentication methods at once. You should usually use at least two methods:
- service account tokens for service accounts
- at least one other method for user authentication.
What is X509 Client Certs?
X509 Client Certs is one of the authentication method based on “Client certificates”. Client certificate authentication is enabled by passing the –client-ca-file=SOMEFILE option to API server.
The referenced file must contain one or more “certificate authorities” to use to validate client certificates presented to the API server. If a client certificate is presented and verified, the common name of the subject is used as the user name for the request.
Kubernetes provides a certificates.k8s.io API, which lets you provision TLS certificates signed by a Certificate Authority (CA) that you control. These CA and certificates can be used by your workloads to establish trust.
To create a TLS certificate for a Kubernetes service accessed through DNS or for other users, following steps must be performed.
Step 1 – Generate a private key using openssl or CFSSL
Step 2 – Create a Certificate Signing Request(csr) using openssl or CFSSL
Step 3 – Create a Certificate Signing Request object to send to the Kubernetes API using “kind: CertificateSigningRequest”
Step 4 – Approving filename.csr and generating auth key filename.crt
Step 5 – Set kubeconfig file using private key and filename.crt.
You can use “kubectl certificate” commands in Step 4.
kubectl certificate
Using this command, you can Modify certificate resources. such as
- Approve a certificate signing request
- Deny a certificate signing request
Approve a certificate signing request
kubectl certificate approve allows a cluster admin to approve a certificate signing request (CSR). This action tells a certificate signing controller to issue a certificate to the requestor with the attributes requested in the CSR.
$ kubectl certificate approve -f user.csr
Deny a certificate signing request
kubectl certificate deny allows a cluster admin to deny a certificate signing request (CSR). This action tells a certificate signing controller to not to issue a certificate to the requestor
$ kubectl certificate deny -f user.csr
- DevOps Certified Professionals (DCP)
- Site Reliability Engineering Certified Professionals (SRECP)
- Master in DevOps Engineering (MDE)
- DevSecOps Certified Professionals (DSOCP)
URL - https://www.devopsschool.com/certification/
My Linkedin - https://www.linkedin.com/in/rajeshkumarin
- What is Mobile Virtual Network Operator? - April 18, 2024
- What is Solr? - April 17, 2024
- Difference between UBUNTU and UBUNTU PRO - April 17, 2024
