1

I have created private key and certificate signed by the CA of the Kubernetes API server. I have configured the user, cluster and context in the ~/.kube/config file. Using this context where the user has client certificate and key, what is the process to make API call to the Kubernetes API server using the client-go libraries.

Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37
praddy26
  • 97
  • 1
  • 1
  • 5
  • Did you mean [client-go credential plugins](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins)? If not, could you clarify the question? – kkopczak Mar 14 '22 at 22:56

1 Answers1

0

In this documentation one can find the following excerpt:

k8s.io/client-go and tools using it such as kubectl and kubelet are able to execute an external command to receive user credentials. (...)

To authenticate against the API:

  • The user issues a kubectl command.
  • Credential plugin prompts the user for LDAP credentials, exchanges credentials with external service for a token.
  • Credential plugin returns token to client-go, which uses it as a bearer token against the API server.
  • API server uses the webhook token authenticator to submit a TokenReview to the external service.
  • External service verifies the signature on the token and returns the user's username and groups.

See also:

kkopczak
  • 742
  • 2
  • 8