Skip to content

Kubernetes user authentication methods

Kubernetes user authentication is the process by which the kube-apiserver verifies the identity of a user or service sending a request to the cluster^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md]. This verification is the first step in the security chain, occurring before Authorization (permissions) and Admission Control^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].

To manage these identities and their access to different environments, Kubernetes uses a kubeconfig file which stores cluster details, users, and Contexts^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].

Kubernetes Context

In Kubernetes, a Context is a client-side configuration grouping that functions as an alias or shortcut for connection parameters^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md]. A context maps three distinct elements:

  • Cluster: The address of the kube-apiserver (URL) and its certificate authority data^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].
  • User: The specific credentials used to authenticate to the cluster^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].
  • Namespace: The default namespace to target for operations (if not specified)^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].

When a user executes a kubectl command, the tool refers to the current-context in the configuration file to determine which cluster to connect to, which user credentials to present, and which namespace to operate within^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md]. It is important to note that the kube-apiserver itself is unaware of these "contexts"; it merely receives the resolved parameters (User and Cluster info) with the request^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].

Authentication Strategies

Kubernetes supports multiple strategies for authenticating the User entity defined in the kubeconfig^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].

Client Certificates

Authentication can be performed using X.509 client certificates^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md]. In this method, the user entry in the kubeconfig contains paths or data for:

  • client-certificate: The user's public certificate^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].
  • client-key: The user's private key^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].

These credentials are verified against the cluster's Certificate Authority.

Bearer Tokens

Users can be authenticated using bearer tokens^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md]. In this scenario, the user configuration in kubeconfig includes a token string that is sent to the API server to prove identity.

Authenticating Proxy

Requests can be authenticated via an authenticating proxy^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md]. This involves an intermediate proxy that handles the authentication logic before forwarding the request to the Kubernetes API server.

OpenID Connect / Auth Providers

For cloud-managed clusters (like Google GKE) or external identity providers, authentication often relies on plugins or external providers^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md]. For example, a kubeconfig entry may use an auth-provider (such as gcp) to execute a command (like gcloud config config-helper) that retrieves an access token (access-token) dynamically^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].

Multi-Cluster Configuration

A single kubeconfig file can manage access to multiple clusters and users, which is essential for separating environments (e.g., development vs. production)^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].

Administrators can define contexts that map specific users to specific clusters and namespaces. For example, a dev-backend context might map a backend-developer user to the development cluster and the backend namespace^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md]. This ensures that developers operate within the correct scope and permissions defined by the organization's security policies^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].

  • [[Authorization]]
  • [[RBAC]]
  • [[Admission Control]]
  • [[kubeconfig]]

Sources

  • 400-devops-06-kubernetes-k8s-ithelp-day28-readme.md