github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
k3s/docs/authentication.md

1.3 KiB
Raw Blame History

Authentication Plugins

Kubernetes uses tokens or client certificates to authenticate users for API calls.

Client certificate authentication is enabled by passing the --client_ca_file=SOMEFILE option to apiserver. The referenced file must contain one or more certificates authorities to use to validate client certificates presented to the apiserver. If a client certificate is presented and verified, the common name of the subject is used as the user name for the request.

Token authentication is enabled by passing the --token_auth_file=SOMEFILE option to apiserver. Currently, tokens last indefinitely, and the token list cannot be changed without restarting apiserver. We plan in the future for tokens to be short-lived, and to be generated as needed rather than stored in a file.

The token file format is implemented in plugin/pkg/auth/authenticator/token/tokenfile/... and is a csv file with 3 columns: token, user name, user uid.

Plugin Development

We plan for the Kubernetes API server to issue tokens after the user has been (re)authenticated by a bedrock authentication provider external to Kubernetes. We plan to make it easy to develop modules that interface between kubernetes and a bedrock authentication provider (e.g. github.com, google.com, enterprise directory, kerberos, etc.)