Improve explanation of client cert authn #53408
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -138,38 +138,80 @@ are available; for example using an [authenticating proxy](#authenticating-proxy | |
|
|
||
| ### X.509 client certificates {#x509-client-certificates} | ||
|
|
||
| Any Kubernetes client that presents a valid client certificate signed by the cluster's | ||
| _client trust_ certificate authority (CA) is considered authenticated. In this configuration, Kubernetes determines | ||
| the username from the `commonName` field in the _subject_ of the certificate | ||
| (for example, `commonName=bob` represents a user with username "bob"). | ||
| From there, Kubernetes [authorization](/docs/reference/access-authn-authz/authorization) | ||
| mechanisms determine whether the user is allowed to perform a specific operation on a resource. | ||
|
|
||
| Client certificate authentication is enabled by passing the `--client-ca-file=<SOMEFILE>` | ||
| option to the API server. | ||
| This option configures the cluster's _client trust_ certificate authority. | ||
| The referenced file must contain one or more certificate authorities that | ||
| the API server can use, when it needs to validate client certificates. | ||
| If a client certificate is presented and verified, the common name of the subject is used as | ||
| the user name for the request. Client certificates can also indicate a user's group memberships | ||
| using the certificate's organization fields. To include multiple group memberships for a user, | ||
| include multiple organization fields in the certificate. | ||
|
|
||
| See [Managing Certificates](/docs/tasks/administer-cluster/certificates/) for how to generate a client cert, or read the brief [example](#x509-client-certificates-example) later in this page. | ||
|
|
||
| #### Kubernetes-compatible client certificates {#x509-client-certificates-k8s} | ||
|
|
||
| You can present a valid certificate, issued by a CA in a trust chain that the API server accepts | ||
| for client certificates, and use that to authenticate to Kubernetes. | ||
| The certificate must be valid; the API server checks that based on the X.509 `notBefore` and `notAfter` attributes. | ||
|
|
||
| {{< note >}} | ||
| Kubernetes {{< skew currentVersion >}} does not support certificate _revocation_. | ||
| Any certificate that is issued remains valid until it expires. | ||
| {{< /note >}} | ||
|
|
||
| ##### Username mapping {#x509-client-certificates-k8s-username} | ||
|
|
||
| Kubernetes expects a client certificates with a subject that contains a `commonName` attribute, | ||
| and does not use any other certificate attributes to identity the subject. | ||
| The API server maps the `commonName` (OID `2.5.4.3`) field to the client's username. | ||
|
|
||
| Here is an example to explain what that means. If you have a certificate with the common name | ||
| set to "Ada Lovelace" and the certificate also had a `uid` attribute, (OID `0.9.2342.19200300.100.1.1`) | ||
| with uid set to "aaking1815", Kubernetes considers that the client's username is "Ada Lovelace"; | ||
| Kubernetes ignores the `uid` attribute. | ||
|
|
||
| ##### Group mapping {#x509-client-certificates-k8s-group} | ||
|
|
||
| You can map a user into groups by statically including group information into | ||
| the certificate. For each group that the user is a member of, add the group | ||
| name as an organization (OID `2.5.6.4`) in your certificate's subject. | ||
| To include multiple group memberships for a user, include multiple organizations in the certificate subject | ||
| (the order does not matter). | ||
| For the example user, the distinguished name for a certificate might be | ||
| CN=Ada Lovelace,O=Users,O=Staff,O=Programmers, which would place her into the groups | ||
| "Programmers", "Staff", "system:authenticated", and "Users". | ||
|
|
||
| ##### Node client certificates {#x509-client-certificates-nodes} | ||
|
|
||
| Kubernetes can use the same approach for node identity; nodes are clients of the Kubernetes API server | ||
| (also, although less relevant here, the API server is usually also a client of each node). | ||
| For example: a Node "server-1a-antartica42", with the domain name "server-1a-antartica42.cluster.example", could use a certificate issued to "CN=system:node:server-1a-antartica42,O=system:nodes". The node's username is then "system:node:server-1a-antartica42", and the node is a member of "system:authenticated" and "system:nodes". | ||
|
Comment on lines
+195
to
+197
Member
There was a problem hiding this comment. This is now much better 👍 I wonder if we should mention anywhere that these node identities are typically used by kubelets to be extra explicit.
Member
Author
There was a problem hiding this comment. You want a bigger PR? I have lots more to cover; see #50364 … The perfect is, often, the enemy of the good-enough-to-merge.
Member
There was a problem hiding this comment. What I meant is really just a single sentence but it's not that important, really. |
||
|
|
||
| {{< note >}} | ||
| Machine identities for nodes are not the same as | ||
| {{< glossary_tooltip text="ServiceAccounts" term_id="service-account" >}}. | ||
lmktfy marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| {{< /note >}} | ||
|
|
||
| #### Example {#x509-client-certificates-example} | ||
|
|
||
| You could use the `openssl` command line tool to generate a certificate signing request: | ||
|
|
||
| ```bash | ||
| # This example assumes that you already have a private key alovelace.pem | ||
| openssl req -new -key alovelace.pem -out alovelace-csr.pem -subj "/CN=alovelace/O=app1/O=app2" | ||
| ``` | ||
|
|
||
| This would create a signing request for the username "alovelace", belonging to two groups, "app1" and "app2". You could then have that signing request be signed by your cluster's client trust certificate authority to obtain a certificate you can use for client authentication to your cluster. | ||
|
|
||
| ### Bootstrap tokens | ||
|
|
||
| {{< feature-state for_k8s_version="v1.18" state="stable" >}} | ||
|
|
@@ -206,6 +248,21 @@ Please see [Bootstrap Tokens](/docs/reference/access-authn-authz/bootstrap-token | |
| documentation on the Bootstrap Token authenticator and controllers along with | ||
| how to manage these tokens with `kubeadm`. | ||
|
|
||
| #### Putting a bearer token in a request | ||
|
|
||
| When using bearer token authentication from an http client, the API | ||
| server expects an `Authorization` header with a value of `Bearer | ||
| <token>`. The bearer token must be a character sequence that can be | ||
| put in an HTTP header value using no more than the encoding and | ||
| quoting facilities of HTTP. For example: if the bearer token is | ||
| `31ada4fd-adec-460c-809a-9e56ceb75269` then it would appear in an HTTP | ||
| header as shown below. | ||
|
|
||
| ```http | ||
| Authorization: Bearer 31ada4fd-adec-460c-809a-9e56ceb75269 | ||
| ``` | ||
|
|
||
|
|
||
| ### Service account tokens | ||
|
|
||
| A service account is an automatically enabled authenticator that uses signed | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Didn't you originally also include guide to map user UID? I think we would want all of username/group/uid mapping mentioned.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See line 171?
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think I see it still. Do we both mean the same UID, as in the functionality from https://github.com/kubernetes/kubernetes/blob/aceb89debc2632c5c9956c8b7ef591426a485447/staging/src/k8s.io/apiserver/pkg/authentication/request/x509/x509.go#L306-L332 ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like the feature was not properly documented in #50818 and this piece is now still missing 😐