Improve explanation of client cert authn #53408
Conversation
k8s-ci-robot
added
sig/auth
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
cncf-cla: yes
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
|
||
| {{< note >}} | ||
| Machine identities for nodes are not the same as | ||
| {{< glossary_tooltip text="ServiceAccounts" term_id="service-account" >}}. |
There was a problem hiding this comment.
| {{< glossary_tooltip text="ServiceAccounts" term_id="service-account" >}}. | |
| {{< glossary_tooltip text="service accounts" term_id="service-account" >}}. |
There was a problem hiding this comment.
Our style guide recommends "ServiceAccounts" (and I do want to emphasize that ServiceAccounts exist in the API). I'll leave it as-is.
| This would create a CSR for the username "jbeda", belonging to two groups, "app1" and "app2". | ||
|
|
||
| See [Managing Certificates](/docs/tasks/administer-cluster/certificates/) for how to generate a client cert. | ||
| This would create a signing request for the username "alovelace", belonging to two groups, "app1" and "app2". You could then use that signing request to obtain |
There was a problem hiding this comment.
We can use active voice.
Something like : This command creates a certificate signing request…
There was a problem hiding this comment.
We can, but I don't need to fix that in this PR. I'm retaining some of the wording from the original text here.
|
/assign @stlaz |
lmktfy
force-pushed
the
20251123_improve_client_cert_authn_advice
branch
from
2ad6db0 to
19e3d64
Compare
|
@aman4433 my feedback on your feedback is based on our reviewing checklist. I do appreciate it, but I also plan to skip a couple of the points you made. |
All good, @lmktfy! I get your point. Appreciate the feedback, and no problem skipping those bits. |
| Client certificate authentication is enabled by passing the `--client-ca-file=<SOMEFILE>` | ||
| option to the API server. The referenced file must contain one or more certificate authorities |
There was a problem hiding this comment.
To tie this to the previous paragraph, I would mention the client trust certificate authority here again:
| Client certificate authentication is enabled by passing the `--client-ca-file=<SOMEFILE>` | |
| option to the API server. The referenced file must contain one or more certificate authorities | |
| Client certificate authentication is enabled by passing the `--client-ca-file=<SOMEFILE>` | |
| option to the API server. This option configures the cluster's _client trust_ certificate authority. The referenced file must contain one or more certificate authorities |
|
|
||
| #### Kubernetes-compatible client certificates {#x509-client-certificates-k8s} | ||
|
|
||
| Kubernetes expects to find a client certificate with a common name field. |
There was a problem hiding this comment.
| Kubernetes expects to find a client certificate with a common name field. | |
| Kubernetes expects a client certificates with a subject that contains a commonName attribute, |
| Kubernetes expects to find a client certificate with a common name field. | ||
| The API server maps the _common name_ (OID `2.5.4.3`) field to the client's username. | ||
| For example, if you have a certificate with the common name set to "Ada Lovelace" | ||
| and the certificate also has a _uid_ attribute, (OID `0.9.2342.19200300.100.1.1`) |
There was a problem hiding this comment.
Is there a reason to include the uid here? Is it to show that Kubernetes will ignore it?
There was a problem hiding this comment.
Yes, that's right. You might have a client cert issuing process that you need to change, because Kubernetes only pays attention to commonName.
|
|
||
| You can map a user into groups by statically including group information into | ||
| the certificate. For each group that the user is a member of, add the group | ||
| name as an organization (OID `2.5.6.4`). |
There was a problem hiding this comment.
| name as an organization (OID `2.5.6.4`). | |
| name as an organization (OID `2.5.6.4`) in your certificate's subject. |
| You can map a user into groups by statically including group information into | ||
| the certificate. For each group that the user is a member of, add the group | ||
| name as an organization (OID `2.5.6.4`). | ||
| To include multiple group memberships for a user, include multiple organization fields in the certificate (the order does not matter). |
There was a problem hiding this comment.
| To include multiple group memberships for a user, include multiple organization fields in the certificate (the order does not matter). | |
| To include multiple group memberships for a user, include multiple organization attributes (RDNs?) in the certificate (the order does not matter). |
| To include multiple group memberships for a user, include multiple organization fields in the certificate (the order does not matter). | ||
| For the example user, the distinguished name might be CN=Ada Lovelace,O=Users,O=Staff,O=Programmers, which would place her into the groups "Programmers", "Staff", "system:authenticated", and "Users". | ||
|
|
||
| Kubernetes can use the same approach for server identities. For example: a node with the domain name "server-1a-antartica42.cluster.example" and using node name "server-1a-antartica42" could use a certificate issued to "CN=system:node:server-1a-antartica42,O=system:nodes". The node's username is then "system:node:server-1a-antartica42", and the node is a member of "system:authenticated" and "system:nodes". |
There was a problem hiding this comment.
This paragraph is a bit confusing. Is this still discussing client certs? Why mention servers?
There was a problem hiding this comment.
I wanted people to know that you typically set the commonName based on the Node name, not its FQDN; that's not otherwise obvious.
Anyway, I reworded it.
The commit makes a minimal number of less related changes, to ensure that the page still makes sense.
lmktfy
force-pushed
the
20251123_improve_client_cert_authn_advice
branch
from
19e3d64 to
052fb8a
Compare
k8s-ci-robot
added
size/L
| #### Kubernetes-compatible client certificates {#x509-client-certificates-k8s} | ||
|
|
||
| This would create a CSR for the username "jbeda", belonging to two groups, "app1" and "app2". | ||
| You can present a valid certificate, issued with a trust chain that the API server accepts |
There was a problem hiding this comment.
| You can present a valid certificate, issued with a trust chain that the API server accepts | |
| You can present a valid certificate, issued by a CA in a trust chain that the API server accepts |
| with uid set to "aaking1815", Kubernetes considers that the client's username is "Ada Lovelace"; | ||
| Kubernetes ignores the `uid` attribute. | ||
|
|
||
| ##### Group mapping {#x509-client-certificates-k8s-group} |
There was a problem hiding this comment.
Didn't you originally also include guide to map user UID? I think we would want all of username/group/uid mapping mentioned.
| Kubernetes can use the same approach for node identity; nodes are clients of the Kubernetes API server | ||
| (also, although less relevant here, the API server is usually also a client of each node). | ||
| For example: a Node "server-1a-antartica42", with the domain name "server-1a-antartica42.cluster.example", could use a certificate issued to "CN=system:node:server-1a-antartica42,O=system:nodes". The node's username is then "system:node:server-1a-antartica42", and the node is a member of "system:authenticated" and "system:nodes". |
There was a problem hiding this comment.
This is now much better 👍
I wonder if we should mention anywhere that these node identities are typically used by kubelets to be extra explicit.
| This would create a signing request for the username "alovelace", belonging to two groups, "app1" and "app2". You could then use that signing request to obtain | ||
| a certificate. |
There was a problem hiding this comment.
| This would create a signing request for the username "alovelace", belonging to two groups, "app1" and "app2". You could then use that signing request to obtain | |
| a certificate. | |
| This would create a signing request for the username "alovelace", belonging to two groups, "app1" and "app2". You could then have that signing request be signed by your cluster's client trust certificate authority to obtain a certificate you can use for client authentication to your cluster. |
5 participants
Add more text to explain how clients can authenticate to the Kubernetes API by presenting a peer certificate.
Also uses Ada Lovelace as the example user, rather than @jbeda. Countess Lovelace is no longer a data subject and so privacy legislation definitely won't apply.
See the preview vs original
Split out of PR #50364
/sig auth
/language en