Pages

Showing posts with label Container. Show all posts
Showing posts with label Container. Show all posts

Wednesday, May 24, 2023

Kubernetes RBAC Authentication strategies

K8s requires that calls to the API server with a user must be authenticated. For successful authentication, K8s offers the following authentication methods :

1. X.509 client certificate = Uses an OpenSSL client certificate to authenticate
2. Basic authentication = Uses username and password to authenticate
3. Bearer tokens = Uses OpenID (a flavor of OAuth2) or webhooks as a way to authenticate


Steps for deploying X.509 client certificate based authentication:

  1. Log into the Kubernetes control plane node and create a temporary directory that will hold the generated keys. Navigate into the directory:

    $ mkdir cert && cd cert

  2. Create a private key using the openssl executable. Provide an expressive file name, such as <username>.key:

    $ openssl genrsa -out johndoe.key 2048
Generating RSA private key, 2048 bit long modulus
..............................+
..+
e is 65537 (0x10001)
$ ls
johndoe.key

  3. Create a certificate sign request (CSR) in a file with the extension .csr. You need to provide the private key from the previous step. The -subj option provides the username (CN) and the group (O). The following command uses the username johndoe and the group named user-group. To avoid assigning the user to a group, leave off the /O component of the assignment:

    $ openssl req -new -key johndoe.key -out johndoe.csr -subj \
  "/CN=johndoe/O=user-group"
$ ls
johndoe.csr johndoe.key

  4. Lastly, sign the CSR with the Kubernetes cluster certificate authority (CA). The CA can usually be found in the directory /etc/kubernetes/pki and needs to contain the files ca.crt and ca.key. We are going to use minikube here, which stores those files in the directory pass:[<code>~/.minikube</code>. The following command signs the CSR and makes it valid for 364 days:

    $ openssl x509 -req -in johndoe.csr -CA /.minikube/ca.crt -CAkey \
  /.minikube/ca.key -CAcreateserial -out johndoe.crt -days 364
Signature ok
subject=/CN=johndoe/O=user-group
Getting CA Private Key

  5. Create the user in Kubernetes by setting a user entry in kubeconfig for johndoe. Point to the CRT and key file. Set a context entry in kubeconfig for johndoe:

    $ kubectl config set-credentials johndoe \
  --client-certificate=johndoe.crt --client-key=johndoe.key
User "johndoe" set.
$ kubectl config set-context johndoe-context --cluster=minikube \
  --user=johndoe
Context "johndoe-context" modified.

  6. To switch to the user, use the context named johndoe-context. You can check the current context using the command config current-context:

    $ kubectl config use-context johndoe-context
Switched to context "johndoe-context".
$ kubectl config current-context
johndoe-context
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)