Authentication modules include Client Certificates, Password, and Plain Tokens, Bootstrap Tokens, and JWT Tokens (used for service accounts).
Multiple authentication modules can be specified, in which case each one is tried in sequence, until one of them succeeds.
The API server does not guarantee the order authenticators run in.
The system:authenticated group is included in the list of groups for all authenticated users.
authentication plugins attempt to associate the following attributes with the request:
X509 Client Certs
Client certificate authentication is enabled by passing the --client-ca-file=SOMEFILE option to API server.
the common name of the subject is used as the user name for the request.
For example, using the openssl command line tool to generate a certificate signing request:
openssl req -new -key jbeda.pem -out jbeda-csr.pem -subj "/CN=jbeda/O=app1/O=app2"
This would create a CSR for the username “jbeda”, belonging to two groups, “app1” and “app2”.
use openssl to manually generate certificates for your cluster.
The request is authorized if an existing policy declares that the user has permissions to complete the requested action.
Review Your Request Attributes
user - The user string provided during authentication
group - The list of group names to which the authenticated user belongs
“extra” - A map of arbitrary string keys to string values, provided by the authentication layer
API - Indicates whether the request is for an API resource
Request path - Path to miscellaneous non-resource endpoints like /api or /healthz (see kubectl).
API request verb - API verbs get, list, create, update, patch, watch, proxy, redirect, delete, and deletecollection are used for resource requests. To determine the request verb for a resource API endpoint, see Determine the request verb below.
HTTP request verb - HTTP verbs get, post, put, and delete are used for non-resource requests
Resource - The ID or name of the resource that is being accessed (for resource requests only) –* For resource requests using get, update, patch, and delete verbs, you must provide the resource name.
Subresource - The subresource that is being accessed (for resource requests only)
Namespace - The namespace of the object that is being accessed (for namespaced resource requests only)
API group - The API group being accessed (for resource requests only). An empty string designates the core API group.