Docs
Theory, Analysis
Kubernetes Authentication Client Certificate

Kubernetes Authentication Client Certificate

Analyzes Kubernetes authentication methods based on client certificates.

1. Kubernetes Authentication Client Certificate

[Figure 1] Kubernetes Authentication Client Certificate

[Figure 1] Kubernetes Authentication Client Certificate

Kubernetes provides authentication methods based on client certificates. [Figure 1] shows Kubernetes authentication methods based on client certificates. Client certificates and keys are created by signing with a Client CA certificate. The Kubernetes API Server obtains the Client CA certificate through the --client-ca-file option. When a client accesses the Kubernetes API Server with the client’s certificate and key, the Kubernetes API Server verifies whether the client’s certificate is valid through the Client CA certificate and client key.

A client certificate contains one CN (Common Name) and multiple O (Organization) fields. In Kubernetes, the value of the CN field is recognized as the user’s name, and the value of the O field is recognized as the group’s name. Therefore, to grant roles to clients authenticated through client certificates and keys, roles should be granted to users or groups in the client certificate. The client certificate in [Figure 1] has ssup2 set as the user’s name, and system:masters and kube set as group names.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

kind: RoleBinding
metadata:
  name: ssup2-user-role-binding
  namespace: default
subjects:
- kind: User
  name: ssup2
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: role-name
  apiGroup: rbac.authorization.k8s.io
[Text 1] Role Binding with User
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

kind: RoleBinding
metadata:
  name: kube-group-role-binding
  namespace: default
subjects:
- kind: Group
  name: kube
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: role-name
  apiGroup: rbac.authorization.k8s.io
[Text 2] Role Binding with Group

[Text 1] shows a Role Binding to grant a role to the ssup2 user, and [Text 2] shows a Role Binding to grant a role to the kube group. Groups starting with system: are reserved group names in Kubernetes. Therefore, the system:masters group also refers to a reserved group in Kubernetes. In Kubernetes, the system:masters group is a group with super privileges.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority-data: <K8s-API-SERVER-ROOT-CA-CRT>
    server: <K8s-API-SERVER-URL>
  name: my-cluster 
contexts:
- context:
  name: default-context
  context:
    cluster: my-cluster
    user: my-user
current-context: default-context
users:
- name: my-user
  user:
    client-certificate-data: <CLIENT-CERTIFICATE>
    client-key-data: <CLIENT-KEY>
[Text 3] kubeconfig with Client Certificate

Client certificates can also be used in kubectl through kubeconfig settings. [Text 3] shows a kubeconfig using a client certificate. Set the client certificate content in the client-certificate-data field and set the client key in the client-key-data field.

2. References

Kubernetes ArchitectureKubernetes Authentication OIDC