Accessing Kubernetes Apiserver

by Ivan Pedrazas 2016-06-06 kubernetes security tokens

The process to access the api server is very simple. The apiserver has a flag that defines what type of access is desired:

To allow Basic Auth and/or tokens, we have to select ABAC.


To access the API server via tokens there are 2 things that need to be defined: the token/user and what the user is allowed to do. Tokens are defined in a file, policies are defined in a different file.

These configuration files have to be passed to the kube-apiserver using the following parameters:

If you want to allow Basic Auth, you have to specify the file containing the

Example of running the apiserver with those flags:

/bin/sh -c /usr/local/bin/kube-apiserver --address= --etcd-servers=

Here are examples of the files used by the apiserver:

Example of tokens in auth_tokens.csv:


Example of user/password for Basic Auth basic_auth.csv:


Example of authentication policy file auth-policy.json

{"apiVersion": "", "kind": "Policy", "spec": {"user":"ivan", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "", "kind": "Policy", "spec": {"user":"admin", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "", "kind": "Policy", "spec": {"user":"kubelet", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "", "kind": "Policy", "spec": {"user":"kube_proxy", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "", "kind": "Policy", "spec": {"user":"kubecfg", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "", "kind": "Policy", "spec": {"user":"client", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "", "kind": "Policy", "spec": {"group":"system:serviceaccounts", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}


If you want to test the access, you can try the following commands:

Access using Basic Auth:

curl -k -X GET -H   "Authorization: Basic YWRtaW46R0dJZndabjYzaTNOTVdlTg=="   https://$API_SERVER

Note that the string YWRtaW46R0dJZndabjYzaTNOTVdlTg== is the result of

echo -n "admin:GGIfwZn63i3NMWeN" | base64

Access using tokens:

curl -k -X GET -H "Authorization: Bearer i2TgpiZFZQNkIydDZzVkxmTHl3Q2hPNn"    https://$API_SERVER

Policy File Format

For mode ABAC, also specify --authorization-policy-file=SOME_FILENAME. The file format is one JSON object per line. There should be no enclosing list or map, just one map per line. Each line is a “policy object”. A policy object is a map with the following properties: is made with by @agonzalezro and @ipedrazas