K8S auditing Webhook backend - how to handle authentication?

Question

i created ubuntu machine that will receive the audit log from my cluster. i created config file in order to configure the webhook backend for k8s auditing.

apiVersion: v1
kind: Config
clusters:
- cluster:
    server: http://34.68.115.34
  name: webcluster
contexts:
- context:
    cluster: webcluster
    user: ""
  name: default-context
current-context: default-context
preferences: {}
users: []

i didnt find any option to configure the relevant authentication in case of using https. what is the solution for that?

Answer 1

You can use basic auth for http or certificate for https. When kube api server communicates to the webhook it will present the client certificate to the webhook webserver to authenticate itself. You need to have cacert in your webhook webserver to successfully authenticate kuernetes api server. The same cacert you will need to use to generate the client certificate and add that client cert into the kubeconfig file.

Basic Auth:

apiVersion: v1
kind: Config
preferences: {}
clusters:
- name: example-cluster
  cluster:
    server: http://10.1.35.4
users:
- name: example-user
  user:
    username: some-user
    password: some-password
contexts:
- name: example-context
  context:
    cluster: example-cluster
    user: example-user
current-context: example-context

Certificate:

apiVersion: v1
    kind: Config
    preferences: {}
    clusters:
    - name: example-cluster
      cluster:
        server: https://10.1.35.4
    users:
    - name: example-user
      user:
        client-certificate-data: <redacted>
        client-key-data: <redacted>
    contexts:
    - name: example-context
      context:
        cluster: example-cluster
        user: example-user
    current-context: example-context