Improve explanation of client cert authn #53408
Conversation
k8s-ci-robot
added
sig/auth
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
cncf-cla: yes
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
/assign @stlaz |
lmktfy
force-pushed
the
20251123_improve_client_cert_authn_advice
branch
from
2ad6db0 to
19e3d64
Compare
|
@aman4433 my feedback on your feedback is based on our reviewing checklist. I do appreciate it, but I also plan to skip a couple of the points you made. |
All good, @lmktfy! I get your point. Appreciate the feedback, and no problem skipping those bits. |
lmktfy
force-pushed
the
20251123_improve_client_cert_authn_advice
branch
from
19e3d64 to
052fb8a
Compare
k8s-ci-robot
added
size/L
| with uid set to "aaking1815", Kubernetes considers that the client's username is "Ada Lovelace"; | ||
| Kubernetes ignores the `uid` attribute. | ||
|
|
||
| ##### Group mapping {#x509-client-certificates-k8s-group} |
There was a problem hiding this comment.
Didn't you originally also include guide to map user UID? I think we would want all of username/group/uid mapping mentioned.
There was a problem hiding this comment.
I don't think I see it still. Do we both mean the same UID, as in the functionality from https://github.com/kubernetes/kubernetes/blob/aceb89debc2632c5c9956c8b7ef591426a485447/staging/src/k8s.io/apiserver/pkg/authentication/request/x509/x509.go#L306-L332 ?
There was a problem hiding this comment.
Looks like the feature was not properly documented in #50818 and this piece is now still missing 😐
| Kubernetes can use the same approach for node identity; nodes are clients of the Kubernetes API server | ||
| (also, although less relevant here, the API server is usually also a client of each node). | ||
| For example: a Node "server-1a-antartica42", with the domain name "server-1a-antartica42.cluster.example", could use a certificate issued to "CN=system:node:server-1a-antartica42,O=system:nodes". The node's username is then "system:node:server-1a-antartica42", and the node is a member of "system:authenticated" and "system:nodes". |
There was a problem hiding this comment.
This is now much better 👍
I wonder if we should mention anywhere that these node identities are typically used by kubelets to be extra explicit.
There was a problem hiding this comment.
You want a bigger PR? I have lots more to cover; see #50364 …
The perfect is, often, the enemy of the good-enough-to-merge.
There was a problem hiding this comment.
What I meant is really just a single sentence but it's not that important, really.
k8s-ci-robot
added
size/M
The commit makes a minimal number of less related changes, to ensure that the page still makes sense. Co-authored-by: Standa Láznička <[email protected]>
lmktfy
force-pushed
the
20251123_improve_client_cert_authn_advice
branch
from
e2dfd69 to
f70ac87
Compare
|
I'll try to combine this with the best of #51487 …but not yet. Marking this as draft until v1.35 has shipped. |
k8s-ci-robot
added
the
do-not-merge/work-in-progress
5 participants
Add more text to explain how clients can authenticate to the Kubernetes API by presenting a peer certificate.
Also uses Ada Lovelace as the example user, rather than @jbeda. Countess Lovelace is no longer a data subject and so privacy legislation definitely won't apply.
See the preview vs original
Split out of PR #50364
/sig auth
/language en