Understanding Kubernetes users

Question

I am having trouble trying to understand the Kubernetes authentication model, specially what "users" are.

Suppose I am on a computer, which is inside a kubernetes cluster. I want to do a request to the API server, using kubectl.

So: - I need to have the public key from the api-server HTTPS port. So let's assume that is provided to me. - Then, in my requeste, there's a need for me to populate the "user" field?

As per this part of the documentation, the user field is a method: https://kubernetes.io/docs/admin/authentication/#authentication-strategies

But then here https://kubernetes.io/docs/admin/accessing-the-api/#authorization we read that actually kubernetes has no concept of a user.

So:

• What/where do I even put in the user field?
• If, since I control the client request content, couldn't I simply enter any username there? Couldn't I just try guess any username repeatedly until I find one with the authorisation for what I want?

Thanks.

Answer 1

The user to be used depends on the kubeconfig for you to use (e.g. ~/.kube/config) and the current context. For example if your ~/.kube/config is below, kubernetes-admin is the user.

apiVersion: v1
kind: Config
current-context: kubernetes-admin@kubernetes
preferences: {}

contexts:
  - context:       <---- Current context to identify which cluster, user, and namespace (*) to use.
      cluster: kubernetes
      user: kubernetes-admin   <----- user for the context
    name: kubernetes-admin@kubernetes

clusters:
  - cluster:
      certificate-authority-data: REDACTED
      server: https://172.31.4.117:6443 
    name: kubernetes

users:
  - name: kubernetes-admin <----
    user:
      client-certificate-data: REDACTED
      client-key-data: REDACTED

You can add users. Please refer to Use Case 1: Create User With Limited Namespace Access in Configure RBAC In Your Kubernetes Cluster. This "User" is not "service account".

---

References

• Configure RBAC in your Kubernetes Cluster
• Configure Access to Multiple Clusters

Answer 2

we read that actually kubernetes has no concept of a user.

Not quite... “it does not have a user object nor does it store usernames or other information about users in its object store.”

For example, if you provided a client certificate, kubernetes would verify the signature on the certificate, then extract your identity from the certificate subject.

If you provided an OpenID Connect bearer token, kubernetes would verify the signature on the token and extract your username and group membership from the signed token.

There are other methods the kubernetes server can use to verify your credentials (webhook call outs, passing your request through an authenticating proxy, etc)

What/where do I even put in the user field?

In the kubeconfig file used by kubectl, it stores information about the server that will be contacted, and the user credentials to provide. You have the ability to provide a client x509 certificate, or a bearer token, or a basic auth username/password. Which one you choose depends on the authentication method configured in your server.

https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/#define-clusters-users-and-contexts gives a good walk through of setting up a kubeconfig file. You get to define user stanzas with a name you choose (just to reference it by locally) and credentials to send to the server. The name you choose locally has no bearing on the server, it only pays attention to the credentials you specify.