Kubernetes RBAC Authentication strategies

K8s requires that calls to the API server with a user must be authenticated. For successful authentication, K8s offers the following authentication methods :

1. X.509 client certificate = Uses an OpenSSL client certificate to authenticate

2. Basic authentication = Uses username and password to authenticate

3. Bearer tokens = Uses OpenID (a flavor of OAuth2) or webhooks as a way to authenticate

Steps for deploying X.509 client certificate based authentication:

1. Log into the Kubernetes control plane node and create a temporary directory that will hold the generated keys. Navigate into the directory:

   $ mkdir cert && cd cert

2. Create a private key using the openssl executable. Provide an expressive file name, such as <username>.key:

   $ openssl genrsa -out johndoe.key 2048
   Generating RSA private key, 2048 bit long modulus
   ..............................+
   ..+
   e is 65537 (0x10001)
   $ ls
   johndoe.key

3. Create a certificate sign request (CSR) in a file with the extension .csr. You need to provide the private key from the previous step. The -subj option provides the username (CN) and the group (O). The following command uses the username johndoe and the group named user-group. To avoid assigning the user to a group, leave off the /O component of the assignment:

   $ openssl req -new -key johndoe.key -out johndoe.csr -subj \
     "/CN=johndoe/O=user-group"
   $ ls
   johndoe.csr johndoe.key

4. Lastly, sign the CSR with the Kubernetes cluster certificate authority (CA). The CA can usually be found in the directory /etc/kubernetes/pki and needs to contain the files ca.crt and ca.key. We are going to use minikube here, which stores those files in the directory pass:[<code>~/.minikube</code>. The following command signs the CSR and makes it valid for 364 days:

   $ openssl x509 -req -in johndoe.csr -CA /.minikube/ca.crt -CAkey \
     /.minikube/ca.key -CAcreateserial -out johndoe.crt -days 364
   Signature ok
   subject=/CN=johndoe/O=user-group
   Getting CA Private Key
   

5. Create the user in Kubernetes by setting a user entry in kubeconfig for johndoe. Point to the CRT and key file. Set a context entry in kubeconfig for johndoe:

   $ kubectl config set-credentials johndoe \
     --client-certificate=johndoe.crt --client-key=johndoe.key
   User "johndoe" set.
   $ kubectl config set-context johndoe-context --cluster=minikube \
     --user=johndoe
   Context "johndoe-context" modified.

6. To switch to the user, use the context named johndoe-context. You can check the current context using the command config current-context:

   $ kubectl config use-context johndoe-context
   Switched to context "johndoe-context".
   $ kubectl config current-context
   johndoe-context