Authenticating your requests to the Kubernetes API server via client certificates

Authenticating your requests to the Kubernetes API server via client certificates

Overview:

This post shows an example of how to use client certificate X.509 to authenticate external requests to the Kubernetes API server. As a cluster we will be using Minikube

Note:
This method is considered direct access to the cluster. Another way is to use kube-proxy method. This method runs a proxy in the foreground and lets's access the Kubernetes API without authentication

What is a client certificate?

In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

X.509 certificates are used for authenticating external requests to the Kubernetes API server. An X.509 certificate defines a subject, which is what identifies a user in Kubernetes.

When an X.509 certificate is used for authenticating a Kubernetes user, the Common Name of the subject is used as the username for the user, and the Organization field is used as the group membership of that user.

Tools:

  • Minikube v1.25.2
  • Kubernetes version v1.23.2
  • Ubuntu 22.10 Kinetic Kudu

Authenticate requests to the Kubernetes API server via certificates:

  1. Start the Minikube cluster:
    minikube start
    
  2. The general command to request API server via client certificate looks like this:
    curl --cert [ClientCertificate] --key [PrivateKey] --cacert [CertificateAuthority] https://<APIServerAddress:port>/api
    
  3. To view the current configuration for the cluster use:
    kubectl config view
    
  4. The final command to request the API server looks like this:
    curl --cert ~/.minikube/profiles/minikube/client.crt --key ~/.minikube/profiles/minikube/client.key --cacert ~/.minikube/ca.crt https://[api_server_ip]:8443/api
    
    You should get the response similar to this:
    {
    "kind": "APIVersions",
    "versions": [
     "v1"
    ],
    "serverAddressByClientCIDRs": [
     {
       "clientCIDR": "0.0.0.0/0",
       "serverAddress": "192.168.49.2:8443"
     }
    ]
    }
    

So you can see that the API server is responding to our requests authenticating via client certificate.

Reference:

  1. When and How to Use Kubectl Proxy to Access the Kubernetes API
  2. Certificate authority