k3s/docs/admin/authentication.md

<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->

<!-- BEGIN STRIP_FOR_RELEASE -->

<img src="http://kubernetes.io/img/warning.png" alt="WARNING"
     width="25" height="25">
<img src="http://kubernetes.io/img/warning.png" alt="WARNING"
     width="25" height="25">
<img src="http://kubernetes.io/img/warning.png" alt="WARNING"
     width="25" height="25">
<img src="http://kubernetes.io/img/warning.png" alt="WARNING"
     width="25" height="25">
<img src="http://kubernetes.io/img/warning.png" alt="WARNING"
     width="25" height="25">

<h2>PLEASE NOTE: This document applies to the HEAD of the source tree</h2>

If you are using a released version of Kubernetes, you should
refer to the docs that go with that version.

<strong>
The latest 1.0.x release of this document can be found
[here](http://releases.k8s.io/release-1.0/docs/admin/authentication.md).

Documentation for other releases can be found at
[releases.k8s.io](http://releases.k8s.io).
</strong>
--

<!-- END STRIP_FOR_RELEASE -->

<!-- END MUNGE: UNVERSIONED_WARNING -->

# Authentication Plugins

Kubernetes uses client certificates, tokens, or http basic auth to authenticate users for API calls.

**Client certificate authentication** is enabled by passing the `--client_ca_file=SOMEFILE`
option to apiserver. The referenced file must contain one or more certificates authorities
to use to validate client certificates presented to the apiserver. If a client certificate
is presented and verified, the common name of the subject is used as the user name for the
request.

**Token authentication** is enabled by passing the `--token_auth_file=SOMEFILE` option
to apiserver.  Currently, tokens last indefinitely, and the token list cannot
be changed without restarting apiserver.  We plan in the future for tokens to
be short-lived, and to be generated as needed rather than stored in a file.

The token file format is implemented in `plugin/pkg/auth/authenticator/token/tokenfile/...`
and is a csv file with 3 columns: token, user name, user uid.

When using token authentication from an http client the apiserver expects an `Authorization`
header with a value of `Bearer SOMETOKEN`.

**Basic authentication** is enabled by passing the `--basic_auth_file=SOMEFILE`
option to apiserver. Currently, the basic auth credentials last indefinitely,
and the password cannot be changed without restarting apiserver. Note that basic
authentication is currently supported for convenience while we finish making the
more secure modes described above easier to use.

The basic auth file format is implemented in `plugin/pkg/auth/authenticator/password/passwordfile/...`
and is a csv file with 3 columns: password, user name, user id.

When using basic authentication from an http client, the apiserver expects an `Authorization` header
with a value of `Basic BASE64ENCODEDUSER:PASSWORD`.

## Plugin Development

We plan for the Kubernetes API server to issue tokens
after the user has been (re)authenticated by a *bedrock* authentication
provider external to Kubernetes.  We plan to make it easy to develop modules
that interface between Kubernetes and a bedrock authentication provider (e.g.
github.com, google.com, enterprise directory, kerberos, etc.)


<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/authentication.md?pixel)]()
<!-- END MUNGE: GENERATED_ANALYTICS -->
Run gendocs and munges 2015-07-12 04:04:52 +00:00			`<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->`

			`<!-- BEGIN STRIP_FOR_RELEASE -->`

Better scary message 2015-07-16 17:02:26 +00:00			`<img src="http://kubernetes.io/img/warning.png" alt="WARNING"`
			`width="25" height="25">`
			`<img src="http://kubernetes.io/img/warning.png" alt="WARNING"`
			`width="25" height="25">`
			`<img src="http://kubernetes.io/img/warning.png" alt="WARNING"`
			`width="25" height="25">`
			`<img src="http://kubernetes.io/img/warning.png" alt="WARNING"`
			`width="25" height="25">`
			`<img src="http://kubernetes.io/img/warning.png" alt="WARNING"`
			`width="25" height="25">`

			`<h2>PLEASE NOTE: This document applies to the HEAD of the source tree</h2>`

			`If you are using a released version of Kubernetes, you should`
			`refer to the docs that go with that version.`

			`<strong>`
			`The latest 1.0.x release of this document can be found`
			`[here](http://releases.k8s.io/release-1.0/docs/admin/authentication.md).`

			`Documentation for other releases can be found at`
			`[releases.k8s.io](http://releases.k8s.io).`
			`</strong>`
			`--`
Run gendocs 2015-07-13 22:15:35 +00:00
Run gendocs and munges 2015-07-12 04:04:52 +00:00			`<!-- END STRIP_FOR_RELEASE -->`

			`<!-- END MUNGE: UNVERSIONED_WARNING -->`
Run gendocs 2015-07-17 22:35:41 +00:00
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it. 2014-10-06 23:11:04 +00:00			`# Authentication Plugins`

Add support for HTTP basic auth to the kube-apiserver. 2015-04-06 23:34:42 +00:00			`Kubernetes uses client certificates, tokens, or http basic auth to authenticate users for API calls.`
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it. 2014-10-06 23:11:04 +00:00
Various minor edits/clarifications to docs/admin/ docs. Deleted docs/admin/namespaces.md as it was content-free and the topic is already covered well in docs/user-guide/namespaces.md 2015-07-17 17:12:08 +00:00			Client certificate authentication is enabled by passing the `--client_ca_file=SOMEFILE`
Add client cert authentication 2015-03-30 21:24:22 +00:00			`option to apiserver. The referenced file must contain one or more certificates authorities`
			`to use to validate client certificates presented to the apiserver. If a client certificate`
			`is presented and verified, the common name of the subject is used as the user name for the`
			`request.`

Various minor edits/clarifications to docs/admin/ docs. Deleted docs/admin/namespaces.md as it was content-free and the topic is already covered well in docs/user-guide/namespaces.md 2015-07-17 17:12:08 +00:00			Token authentication is enabled by passing the `--token_auth_file=SOMEFILE` option
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it. 2014-10-06 23:11:04 +00:00			`to apiserver. Currently, tokens last indefinitely, and the token list cannot`
			`be changed without restarting apiserver. We plan in the future for tokens to`
			`be short-lived, and to be generated as needed rather than stored in a file.`

Doc fixes 2015-01-10 22:24:20 +00:00			The token file format is implemented in `plugin/pkg/auth/authenticator/token/tokenfile/...`
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it. 2014-10-06 23:11:04 +00:00			`and is a csv file with 3 columns: token, user name, user uid.`

Added client header info for authentication doc. 2015-05-06 13:07:06 +00:00			When using token authentication from an http client the apiserver expects an `Authorization`
			header with a value of `Bearer SOMETOKEN`.

Various minor edits/clarifications to docs/admin/ docs. Deleted docs/admin/namespaces.md as it was content-free and the topic is already covered well in docs/user-guide/namespaces.md 2015-07-17 17:12:08 +00:00			Basic authentication is enabled by passing the `--basic_auth_file=SOMEFILE`
Add support for HTTP basic auth to the kube-apiserver. 2015-04-06 23:34:42 +00:00			`option to apiserver. Currently, the basic auth credentials last indefinitely,`
			`and the password cannot be changed without restarting apiserver. Note that basic`
			`authentication is currently supported for convenience while we finish making the`
			`more secure modes described above easier to use.`

			The basic auth file format is implemented in `plugin/pkg/auth/authenticator/password/passwordfile/...`
			`and is a csv file with 3 columns: password, user name, user id.`

Various minor edits/clarifications to docs/admin/ docs. Deleted docs/admin/namespaces.md as it was content-free and the topic is already covered well in docs/user-guide/namespaces.md 2015-07-17 17:12:08 +00:00			When using basic authentication from an http client, the apiserver expects an `Authorization` header
Added client header info for authentication doc. 2015-05-06 13:07:06 +00:00			with a value of `Basic BASE64ENCODEDUSER:PASSWORD`.
Add support for HTTP basic auth to the kube-apiserver. 2015-04-06 23:34:42 +00:00
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it. 2014-10-06 23:11:04 +00:00			`## Plugin Development`

			`We plan for the Kubernetes API server to issue tokens`
			`after the user has been (re)authenticated by a bedrock authentication`
			`provider external to Kubernetes. We plan to make it easy to develop modules`
Fix capitalization of Kubernetes in the documentation. 2015-07-20 20:45:36 +00:00			`that interface between Kubernetes and a bedrock authentication provider (e.g.`
Doc fixes 2015-01-10 22:24:20 +00:00			`github.com, google.com, enterprise directory, kerberos, etc.)`
Add ga-beacon analytics to gendocs scripts hack/run-gendocs.sh puts ga-beacon analytics link into all md files, hack/verify-gendocs.sh verifies presence of link. 2015-05-14 22:12:45 +00:00

Apply mungedocs changes 2015-07-14 00:13:09 +00:00			`<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->`
standardize on - instead of _ in file names 2015-07-10 19:39:25 +00:00			`[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/authentication.md?pixel)]()`
Apply mungedocs changes 2015-07-14 00:13:09 +00:00			`<!-- END MUNGE: GENERATED_ANALYTICS -->`