Login/Register
Kubernetes simple authentication
Asked Answered
Solved kubernetesdigital-oceancoreos
H

1

6

I am using Kubernetes on a coreOS cluster hosted on DigitalOcean. And using this repo to set it up. I started the apiserver with the following line:

    /opt/bin/kube-apiserver --runtime-config=api/v1 --allow-privileged=true \ 
     --insecure-bind-address=0.0.0.0 --insecure-port=8080 \
     --secure-port=6443 --etcd-servers=http://127.0.0.1:2379 \
     --logtostderr=true --advertise-address=${COREOS_PRIVATE_IPV4} \
     --service-cluster-ip-range=10.100.0.0/16 --bind-address=0.0.0.0

The problem is that it accepts requests from anyone! I want to be able to provide a simple user/password authentication. I have been reading this and this and it seems that I have to do something like the below, but I cannot afford to take the cluster down for a long period of time, so I need your guys to help with this one. Btw, my pods do not create another pods, so I only need a few user, like 1/2 for devs and 1 for CI.

I am thinking of doing something like including authorization-mode and authorization-policy-file flags as it seems required and making the insecure-bind-address localhost to make it only available locally. I am missing something?

    /opt/bin/kube-apiserver --runtime-config=api/v1 --allow-privileged=true \ 
     --authorization-mode=ABAC --authorization-policy-file=/access.json \
     --insecure-bind-address=127.0.0.1 --insecure-port=8080 \
     --secure-port=6443 --etcd-servers=http://127.0.0.1:2379 \
     --logtostderr=true --advertise-address=${COREOS_PRIVATE_IPV4} \
     --service-cluster-ip-range=10.100.0.0/16 --bind-address=0.0.0.0

###/access.json

{"user":"admin"}
{"user":"wercker"}
{"user":"dev1"}
{"user":"dev2"}

But where are the passwords? How do I actually make the request with kubectl and curl or httpie?

Hedelman answered 11/3, 2016 at 14:0 Comment(0)
C
16

If you want your users to authenticate using HTTP Basic Auth (user:password), you can add:

--basic-auth-file=/basic_auth.csv

to your kube-apiserver command line, where each line of the file should be password, user-name, user-id. E.g.:

@dm1nP@ss,admin,admin
w3rck3rP@ss,wercker,wercker
etc...

If you'd rather use access tokens (HTTP Authentication: Bearer), you can specify:

--token-auth-file=/known-tokens.csv

where each line should be token,user-name,user-id[,optional groups]. E.g.:

@dm1nT0k3n,admin,admin,adminGroup,devGroup
w3rck3rT0k3n,wercker,wercker,devGroup
etc...

For more info, checkout the Authentication docs. Also checkout example_policy_file.jsonl for an example ABAC file.

Crisper answered 11/3, 2016 at 18:15 Comment(6)
I got it working man! Thanks. Last question;I got i working with something like kubectl -s="https://SERVER:6443" --username="admin" --password="PASSWORD" get pods -o wide but I was expecting to have access the api with curl --header "Authorization: (admin:PASSWORD)" --insecure http://SERVER:6443/api with the (admin:PASSWORD) string encoded on base64 UTF-8Hedelman
Glad it works! You'll probably also need "Basic" in the Authorization Header: --header "Authorization: Basic base64(admin:PASSWORD)".Crisper
curl does it better curl -u admin:PASSWORD -i -H 'Accept:application/json' --insecure https:// SERVER:6443/api Can you take a look at this? https://mcmap.net/q/1635166/-can-kubectl-remember-meHedelman
CJ Cullen. You may consider adding this piece of the doc to your answer. "tokens are just long alphanumeric strings, e.g. 32 chars. See TOKEN=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)Hedelman
Even a more basic question. Add "--basic-auth-file=/basic_auth.csv" to what command. nube question.Geldens
basic auth is deprecated in > 1.19 according to the release notesEngram

© 2022 - 2024 — McMap. All rights reserved.