To be able to authenticate to the kubernetes cluster through the API-server, there are some basic authentication methods that kubernetes uses.

We have users such as administrators, developers and service accounts - service or application who need to access the kubernetes cluster -.
Usually for user accounts, kubernetes uses external services to authenticate them - certificates, ldap , ...

User access is handled by the API-server which authenticate the requests.

We could use a regular password file which would consist of the following elements - passwords, user, id, group

The file will be mentioned as a parameter to the API-server :

--basic-auth-file=user-password-file

In case we are using the API-server as a service, we will use the below parameters in the service file:


In case our API-server is deployed as a pod, we will use the same parameter in the pod's Yaml file that lives in the below directory "/etc/kubernetes/manifests/kube-apiserver.yaml".


In case we are using tokens instead of passwords, we will do the same, but the token file will have the following format - token, user, user_id, group -.

We pass the below parameter to the API-server service or pod:

--token-auth-file=auth-file

These authentication files for tokens and passwords are passed on to pod as mounted volumes.
Brando Sabatini and Ikbal C ©. Powered by Blogger.