Skip to content

Commit 19e3d64

Browse files
lmktfylmktfy
committed
Improve explanation of client cert authn
1 parent a2ed1db commit 19e3d64

File tree

1 file changed

+44
-12
lines changed

1 file changed

+44
-12
lines changed

content/en/docs/reference/access-authn-authz/authentication.md

Lines changed: 44 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -138,23 +138,55 @@ are available; for example using an [authenticating proxy](#authenticating-proxy
138138

139139
### X.509 client certificates {#x509-client-certificates}
140140

141-
Client certificate authentication is enabled by passing the `--client-ca-file=SOMEFILE`
142-
option to API server. The referenced file must contain one or more certificate authorities
143-
to use to validate client certificates presented to the API server. If a client certificate
144-
is presented and verified, the common name of the subject is used as the user name for the
145-
request. As of Kubernetes 1.4, client certificates can also indicate a user's group memberships
146-
using the certificate's organization fields. To include multiple group memberships for a user,
147-
include multiple organization fields in the certificate.
141+
Any Kubernetes client that presents a valid client certificate signed by the cluster's
142+
_client trust_ certificate authority (CA) is considered authenticated. In this configuration, Kubernetes determines
143+
the username from the `commonName` field in the _subject_ of the certificate
144+
(for example, `commonName=bob` represents a user with username "bob").
145+
From there, Kubernetes [authorization](/docs/reference/access-authn-authz/authorization)
146+
mechanisms determine whether the user is allowed to perform a specific operation on a resource.
148147

149-
For example, using the `openssl` command line tool to generate a certificate signing request:
148+
Client certificate authentication is enabled by passing the `--client-ca-file=<SOMEFILE>`
149+
option to the API server. The referenced file must contain one or more certificate authorities
150+
to use to validate client certificates presented to the API server.
151+
If a client certificate is presented and verified, the common name of the subject is used as the user name for the request. Client certificates can also indicate a user's group memberships using the certificate's organization fields. To include multiple group memberships for a user, include multiple organization fields in the certificate.
152+
153+
See [Managing Certificates](/docs/tasks/administer-cluster/certificates/) for how to generate a client cert, or read the brief [example](#x509-client-certificates-example) later in this page.
154+
155+
#### Kubernetes-compatible client certificates {#x509-client-certificates-k8s}
156+
157+
Kubernetes expects to find a client certificate with a common name field.
158+
The API server maps the _common name_ (OID `2.5.4.3`) field to the client's username.
159+
For example, if you have a certificate with the common name set to "Ada Lovelace"
160+
and the certificate also has a _uid_ attribute, (OID `0.9.2342.19200300.100.1.1`)
161+
with uid set to "aaking1815", Kubernetes considers that the client's username is "Ada Lovelace".
162+
163+
You can map a user into groups by statically including group information into
164+
the certificate. For each group that the user is a member of, add the group
165+
name as an organization (OID `2.5.6.4`).
166+
To include multiple group memberships for a user, include multiple organization fields in the certificate (the order does not matter).
167+
For the example user, the distinguished name might be CN=Ada Lovelace,O=Users,O=Staff,O=Programmers, which would place her into the groups "Programmers", "Staff", "system:authenticated", and "Users".
168+
169+
Kubernetes can use the same approach for server identities. For example: a node with the domain name "server-1a-antartica42.cluster.example" and using node name "server-1a-antartica42" could use a certificate issued to "CN=system:node:server-1a-antartica42,O=system:nodes". The node's username is then "system:node:server-1a-antartica42", and the node is a member of "system:authenticated" and "system:nodes".
170+
171+
{{< note >}}
172+
Machine identities for nodes are not the same as
173+
{{< glossary_tooltip text="ServiceAccounts" term_id="service-account" >}}.
174+
{{< /note >}}
175+
176+
The API server also checks that a client is valid based on the normal X.509 notBefore and notAfter attributes.
177+
178+
179+
#### Example {#x509-client-certificates-example}
180+
181+
You could use the `openssl` command line tool to generate a certificate signing request:
150182

151183
```bash
152-
openssl req -new -key jbeda.pem -out jbeda-csr.pem -subj "/CN=jbeda/O=app1/O=app2"
184+
# This example assumes that you already have a private key alovelace.pem
185+
openssl req -new -key alovelace.pem -out alovelace-csr.pem -subj "/CN=alovelace/O=app1/O=app2"
153186
```
154187

155-
This would create a CSR for the username "jbeda", belonging to two groups, "app1" and "app2".
156-
157-
See [Managing Certificates](/docs/tasks/administer-cluster/certificates/) for how to generate a client cert.
188+
This would create a signing request for the username "alovelace", belonging to two groups, "app1" and "app2". You could then use that signing request to obtain
189+
a certificate.
158190

159191
#### Putting a bearer token in a request
160192

0 commit comments

Comments
 (0)