Skip to main content

Authentication

Who are you?

Kubernetes depends on external identity providers. In case of Service accounts, Kubernetes can manage these. All user access is managed through the kube-API through one of four methods: HTTP Basic auth —basic-auth-file (password, username, userid, group-id (optional)) HTTP Bearer Token File —token-auth-file (token, username, userid, group-id optional) Certificates ID Provider

User account vs Service Account (Human vs Robot)

“k create serviceaccount botname” This will create a token that must be used to authenticate When an SA is created, it will create the SA, then the token, the create a secret and stores the token in the secret.

From the secret, you can pass it in as an —header “Authorization:Bearer …”

For every namespace a default service account exists already. Each namespace has it’s own default service account. Whenever a pod is created, the default service account and its token are already mounted to the pod as a volume mount. (/var/run/secrets/kubernetes.io/serviceaccount) from inside the pod. “ca.crt, namespace, token)

Modify pod spec to include “serviceAccountName: saname”

You can “automountServiceAccountToken: false” if you want