Setting up Basic Authentication for Kubernetes Cluster on Minikube — 1
In this post let’s explore how we can setup a username-password based basic authentication to access the kube-apiserver
Setup basic authentication on Kubernetes (Deprecated in 1.19)
Note: This is not recommended in a production environment.
This is only for learning purposes. Also note that this approach is deprecated in Kubernetes version 1.19 and is no longer available in later releases.
kube-apiserver authentication mechanisms
kube-apiserver authenticates the user before processing the requests.
There are different authentication mechanisms that can be configured to be used with kube-apiserver. Few of them are,
- Basic Authentication with Static Password file
Plain text username and password fetched from a static password file and used for validation against the credentials passed in the request. - Bearer Token Authentication with Static Token file
Plain text username and token are fetched from a static token file and used for validation against the bearer token passed in the request. - Certificate based Authentication
X509 client certificate is used for authentication.
If a client certificate is presented and verified, the common name of the subject is used as the user name for the request - Third party Identity Services Authentication
In this approach kube-apiserver is integrated with third-party identity services like LDAP, Kerberos, External Identity Providers, etc.
In this blog, our goal is to achieve basic authentication with a static password file.
In order to enable basic authentication support in kube-apiserver we need to pass the user details in a csv file with “--basic-auth-file” option.
--basic-auth-file=user-details.csv
Prerequisites
Create a single node Kubernetes cluster on Minikube
First, let’s create a single node k8s cluster named
“test-node” with default “test” namespace (without any extra configurations) provisioned with k8s version 1.18.0 (any version lower than v1.19.0) using the following command,
Set the Active Cluster on Minikube
Since we can have multiple k8s clusters running with minikube, we need to set the active cluster to execute the kubectl commands on that cluster
Fetch the Kubernetes Control Plane URL
Fetch the k8s control plane url by executing the following kubectl command,
The output will look like the following,
We will be using this url to query the “kube-apiserver”
Create the Static Password file in the Minikube node
In order for the basic authentication to work we need to pass a static password file. This file need to be accessible by the k8s cluster, thus needs to be placed in the Minikube cluster node.
SSH into the Minikube k8s cluster node “test-node” using the following command,
Create a file named “user-details.csv” with the user details in the “/tmp/users” directory of the cluster node
“user-details.csv” file has three columns, password, username and userid respectively
Create the Namespace, Roles and RoleBindings for the Users
In order for the users to perform operations on the k8s cluster we need to create roles (in the specific namespace) with the relevant permissions and bind them to the users using rolebindings.
Let’s create a “test” namespace in the “test-node” cluster (“test-node” is already set as the active Minikube cluster)
Create the role and rolebinding for the “wso2user” to fetch the pods, by executing the “roles-rolebindings-apiserver-basic-auth.yaml” file,
Create the Role and RoleBinding by executing the following kubectl command,
Executing the above k8s definition file will,
- Create a role named “pod-reader” in the “test” namespace with permissions to “get” and “list” pods.
- Create a rolebinding named “read-pods” in the “test” namespace which associates the “pod-reader” role to the “wso2user”
Configure basic authentication for kube-apiserver
Now let’s apply the configuration changes for the “kube-apiserver” static pod in the “kube-system” namespace configured by the Minikube to support basic authentication by mounting the “user-details.csv” file to the pod.
We will apply the following changes to the “kube-apiserver” pod in the “kube-system” namespace,
- Include the “--basic-auth-file” startup option pointing to the
“user-details.csv” file in the volumeMount “/tmp/auth” - Configure the volumes pointing to the “/tmp/users” hostpath where the “user-details.csv” file resides in the node
- Configure the volumeMounts to mount the
“/tmp/users/user-details.csv” file from the node to the
“kube-apiserver” pod via the mount path “/tmp/auth/user-details.csv”
The “kube-apiserver” pod is automatically created by the Minikube cluster in the “kube-system” namespace using the kube-apiserver.yaml k8s definition file found in the /etc/kubernetes/manifests directory of the cluster node.
Modifications to the /etc/kubernetes/manifests/kube-apiserver.yaml will apply changes to kube-apiserver pod
Execute the following commands,
Modify the kube-apiserver.yaml with the above discussed additional configurations as shown below,
Once the modifications are completed, save the changes to the
“kube-apiserver.yaml”, Minikube will automatically apply the changes and recreate the “kube-apiserver-test-node” pod in the “kube-system” namespace
Test API Invocations with Basic Authentication
We have completed all the configurations, and the k8s cluster should now support basic authentication with the user details we passed.
Let’s try to fetch the pod details in the “test” namespace using the
“kube-apiserver” url, by passing the “wso2user” credentials in the basic header
curl -kv https://192.168.64.18:8443/api/v1/namespaces/test/pods \
-u "wso2user:abcd"The curl response will look like the following,
200 OK response is returned with some metadata as shown above.
The “items” array is empty as there are no pods running in the “test” namespace.
Let’s quickly run a pod in the “test” namespace,
kubectl -n test run nginx --image=nginxNow let’s try to fetch the pods again for the “wso2user” with the correct credentials,
curl -kv https://192.168.64.18:8443/api/v1/namespaces/test/pods \
-u "wso2user:abcd"200 OK response is returned with a populated items array as following,
Now let’s try to fetch the pods for the “wso2user” with the wrong credentials,
curl -kv https://192.168.64.18:8443/api/v1/namespaces/test/pods \
-u "wso2user:wrongpassword"401 Unauthorized response is returned with “status: Failure” as shown below,
Finally, let’s try to fetch the pods with a non-existing user “wso2user1”
curl -kv https://192.168.64.18:8443/api/v1/namespaces/test/pods \
-u "wso2user1:abcd"401 Unauthorized response is returned with “status: Failure” same as with the wrong credentials.
References:
[1] https://minikube.sigs.k8s.io/docs/start/
[2] https://kubernetes.io/docs/tasks/tools/#kubectl
[3] https://kubernetes.io/docs/reference/access-authn-authz/authentication/
Hope you enjoyed the blog and got something to take away.
Thank you for Reading!
Cheers!!!
