bitPhile

Basic Authentication using file in kube-apiserver

2 min read

Basic file authentication

Basic file authentication can have passwords file and token file. Password file has users and their password with some other information like groups, user id etc. Token file has tokens instead of password.

This method is deprecated in latest versions of kubernetes and no longer implemented. This note just details the information theoretically.

A simple password is a csv file as shown below.

password1,user1,user-id-1
password2,user2,user-id-2

or a token file can be,

token1,user1,user-id-1
token2,user2,user-id-2

We can provide this authentication method in kube-apiserver.yaml resource file for kube-apiserver. In this case, I was using minikube so I could find this inside control node at location /etc/kubernetes/manifests/kube-apiserver.yaml.

This password file can be provided using flag --basic-auth-file as shown below.

spec:
  containers:
  - command:
    - kube-apiserver
    - --authorization-mode=Node,RBAC
      <content-hidden>
    - --basic-auth-file=users.csv

This users.csv should be available inside kube-apiserver pod. We can achieve this using volume as shown below.

spec:
  containers:
    <content-hidden>
    volumeMounts:
      - name: users
        mountPath: users.csv
  volumes:
    - name: users
      hostPath:
          path: /etc/kubernetes/users.csv
          kind: File

It is assumed that /etc/kubernetes/users.csv exists on host.

We also need to setup appropriate roles for authorization. We can achieve this using rbac.

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
 
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: user1 # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role #this must be Role or ClusterRole
  name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io

Finally, accessing the kubernetes cluster using the basic authentication we have setup.

curl $kube-server/api/v1/pods -u "user1:password1"

If we have using token file, we need to provide Bearer token in header as follows.

curl $kube-server/api/v1/pods -H "Authorization: Bearer token1"

Note

Please note that this is deprecated and cannot be implemented now. I have tried to use that flag --basic-auth-file, but there no this flag exists anymore.

Graph View

Backlinks