Kubernetes 101 : Authenticating users



Authentication checks the identity of the cluster users. Different types of authentication modules are available in the form of plugins.

The default way to authenticate users is to use the basic token authentication.

For each service account a token is created and stored in a secret object.
The secret object is made accessible to the application running inside the pod by mounting it a s a volume on the pod.

The application running inside the pod uses that service account and its authentication token to be able to communicate with the kubernetes cluster.

Remark:

Service accounts are used by programs, and user accounts are used by "humans" who connect to the kubernetes cluster and interact with it the API server using the "kubectl" command" for example.

Namespaces in kubernetes are tied to a kubernetes object called a context.

The context's information is made up of a username and a cluster name as follows - user@cluster -, for example:
  • tester@testing_cluster
  • admin@production_cluster 
We could use the below command to "tie" a user to namespace:


We could set the context "context-1" as the default context for the cluster using the below command:


When a program sends a request through the default service account, the service's account token is checked by the API server.

Some example of users accounts authentication plugins include client certificates, bearer tokens, ...

Remark:

We could "stack" several authentication plugins and use them all as authentication methods.



Comments

Leave as a comment:

Archive