Skip to main content

Authentication

Authentication

There are three main points to remember with authentication in Kubernetes:

  • In its straightforward form, authentication is done with certificates, tokens or basic authentication (i.e. username and password).
  • Users are not created by the API, but should be managed by an external system.
  • System accounts are used by processes to access the API (to learn more read Configure Service Accounts for Pods.

There are two more advanced authentication mechanisms:

  • Webhooks can be used to verify bearer tokens
  • Connection with an external OpenID provider.

The type of authentication used is defined in the kube-apiserver startup options. Below are four examples of a subset of configuration options that would need to be set depending on what choice of authentication mechanism you choose:

  • --basic-auth-file

  • --oidc-issuer-url

  • --token-auth-file

  • --authorization-webhook-config-file

One or more Authenticator Modules are used:

  • x509 Client Certs;
  • static token, bearer or bootstrap token;
  • static password file;
  • service account;
  • OpenID connect tokens.

Each is tried until successful, and the order is not guaranteed. Anonymous access can also be enabled, otherwise you will get a 401 response.

To learn more about authentication, see the official Kubernetes Documentation.