Accessing Kubernetes Apiserver

by Ivan Pedrazas 2016-06-06 kubernetes security tokens

The process to access the api server is very simple. The apiserver has a flag that defines what type of access is desired:

To allow Basic Auth and/or tokens, we have to select ABAC.

Access

To access the API server via tokens there are 2 things that need to be defined: the token/user and what the user is allowed to do. Tokens are defined in a file, policies are defined in a different file.

These configuration files have to be passed to the kube-apiserver using the following parameters:

If you want to allow Basic Auth, you have to specify the file containing the

Example of running the apiserver with those flags:

/bin/sh -c /usr/local/bin/kube-apiserver --address=127.0.0.1 --etcd-servers=http://127.0.0.1:4001
--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,PersistentVolumeLabel,ResourceQuota
--token-auth-file=/srv/kubernetes/auth_tokens.csv
--authorization-mode=ABAC
--authorization-policy-file=/srv/kubernetes/auth-policy.json
--basic-auth-file=/srv/kubernetes/basic_auth.csv

Here are examples of the files used by the apiserver:

Example of tokens in auth_tokens.csv:

Wx4WOTOmFoY5yXaoMPtHdnKeFLPYeBBL,admin,admin
jD34eFwNrJo9urd7QWLMALOjK7R58j1g,kubelet,kubelet
PxgQ4vSloVIhfFwx9WYaj8uke93JVBHh,kube_proxy,kube_proxy
i2TgpiZFZQNkIydDZzVkxmTHl3Q2hPNn,ivan,ivan

Example of user/password for Basic Auth basic_auth.csv:

GGIfwZn63i3NMWeN,admin,admin

Example of authentication policy file auth-policy.json

{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"ivan", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"admin", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kube_proxy", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubecfg", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"client", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"group":"system:serviceaccounts", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}

Testing

If you want to test the access, you can try the following commands:

Access using Basic Auth:

curl -k -X GET -H   "Authorization: Basic YWRtaW46R0dJZndabjYzaTNOTVdlTg=="   https://$API_SERVER

Note that the string YWRtaW46R0dJZndabjYzaTNOTVdlTg== is the result of

echo -n "admin:GGIfwZn63i3NMWeN" | base64

Access using tokens:

curl -k -X GET -H "Authorization: Bearer i2TgpiZFZQNkIydDZzVkxmTHl3Q2hPNn"    https://$API_SERVER

Policy File Format

For mode ABAC, also specify --authorization-policy-file=SOME_FILENAME. The file format is one JSON object per line. There should be no enclosing list or map, just one map per line. Each line is a “policy object”. A policy object is a map with the following properties:

k8s.uk is made with by @agonzalezro and @ipedrazas