Authentication in Kubernetes
What is Authentication?
Authentication in Kubernetes is the process of verifying the identity of a user, service account, or component attempting to interact with the Kubernetes API server. It answers the question: "Who are you?" before allowing any actions within the cluster.
Types of Authentication Methods in Kubernetes
Kubernetes supports several authentication methods, each suitable for different use cases:
1. X.509 Client Certificates
Required knowledge for the CKS certification.
- Used for user authentication and Kubelet authentication.
- Certificates are generated by a Certificate Authority (CA) and signed by the Kubernetes API server.
# Generate a private key
openssl genrsa -out user.key 2048
# Generate a CSR (Certificate Signing Request)
openssl req -new -key user.key -out user.csr -subj "/CN=example-user"
# Sign the certificate with Kubernetes CA
openssl x509 -req -in user.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out user.crt -days 365
2. Static Token File Authentication
- Uses a pre-generated token stored in a CSV file on the API server.
- Suitable for development environments but not recommended for production.
# Example tokens.csv format
token1234,example-user,uid1234,"system:masters"
- Configure the API server to use the token file:
kube-apiserver --token-auth-file=tokens.csv
3. Bootstrap Tokens
Required knowledge for the CKS certification.
- Used primarily by kubeadm during cluster bootstrapping.
- Tokens are stored as Secrets in the kube-system namespace.
# Create a new bootstrap token
kubeadm token create --print-join-command
4. Service Account Tokens
Required knowledge for the CKS certification.
- Service Accounts are used by Pods to authenticate with the API server.
- A JWT token is automatically created and mounted inside the Pod.
# Example: Using a Service Account in a Pod
apiVersion: v1
kind: ServiceAccount
metadata:
name: example-sa
---
apiVersion: v1
kind: Pod
metadata:
name: example-pod
spec:
serviceAccountName: example-sa
containers:
- name: example-container
image: nginx
5. OpenID Connect (OIDC) Authentication
- Integrates with external identity providers (e.g., Google, Okta, Azure AD).
- Ideal for enterprise environments using SSO (Single Sign-On).
# API server configuration for OIDC
kube-apiserver \
--oidc-issuer-url=https://accounts.google.com \
--oidc-client-id=k8s-app \
--oidc-username-claim=email \
--oidc-groups-claim=groups
6. Webhook Token Authentication
Required knowledge for the CKS certification.
- Delegates authentication decisions to an external API.
- Useful for custom authentication scenarios.
# Example webhook configuration
apiVersion: v1
kind: Config
clusters:
- name: webhook
cluster:
server: https://auth.example.com/authenticate
users:
- name: webhook
contexts:
- name: webhook
context:
cluster: webhook
user: webhook
current-context: webhook
Best Practices for Authentication
-
Use Strong Authentication Methods:
Prefer OIDC or Client Certificates over static tokens. -
Service Account Management:
- Avoid using the default service account.
- Create namespace-specific service accounts with least privilege.
- Avoid using the default service account.
-
Rotate and Revoke Credentials:
- Regularly rotate certificates and tokens.
- Revoke access tokens when users leave or roles change.
- Regularly rotate certificates and tokens.
-
Secure API Server Authentication Mechanisms:
- Disable anonymous authentication (
--anonymous-auth=false). - Enable webhook authentication for external identity validation.
- Disable anonymous authentication (
# Example: Securing the API server
kube-apiserver --anonymous-auth=false --client-ca-file=/etc/kubernetes/pki/ca.crt
Conclusion: Authentication as the First Line of Defense
Authentication is the first step in securing Kubernetes clusters. Properly managing authentication methods helps to ensure that only authorized users and services interact with cluster resources, providing a strong foundation for further authorization and security policies.