Skip to content

Kubernetes Authentication flow

The Kubernetes authentication flow refers to the sequence of stages a request passes through when interacting with the cluster API, ensuring that only verified and authorized operations are persisted^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].

Request Lifecycle

When a user attempts to interact with a Kubernetes cluster, the request must first pass through kube-apiserver, which acts as the cluster gateway^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md]. The process of a request from initiation to being persisted in the etcd database involves three distinct stages^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md]:

  1. Authentication: Verifies the identity of the user.
  2. Authorization: Determines if the identified user has permission to perform the action.
  3. Admission Control: Validates and/or mutates the request object before it is stored.

This pipeline ensures that all incoming requests are rigorously checked before any state changes occur within the cluster^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].

Authentication and Context

Authentication is the process of validating the "Who" in a request^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md]. In practice, users interact with the cluster using a Context, which acts as a convenient alias or client-side configuration grouping^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].

A Context contains three essential elements that define the connection parameters^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md]:

  • Cluster: The address of the kube-apiserver and its certificate authority data.
  • User: The specific credentials used to authenticate (e.g., client certificates, tokens, or auth providers).
  • Namespace: The default scope for the operation (if applicable).

When a user executes a command like kubectl, the client tool references the current context to extract these parameters^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md]. It is important to note that kube-apiserver does not understand the concept of a Context; rather, the context is resolved on the client side, and the resulting specific credentials and target server are sent to the API server^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].

Sources

^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md]