kubernetesrbackubernetes-apiserverkubernetes-rbac

Accessing Kuberentes API using x509 certificate


I have created private key and certificate signed by the CA of the Kubernetes API server. I have configured the user, cluster and context in the ~/.kube/config file. Using this context where the user has client certificate and key, what is the process to make API call to the Kubernetes API server using the client-go libraries.


Solution

  • In this documentation one can find the following excerpt:

    k8s.io/client-go and tools using it such as kubectl and kubelet are able to execute an external command to receive user credentials. (...)

    To authenticate against the API:

    • The user issues a kubectl command.
    • Credential plugin prompts the user for LDAP credentials, exchanges credentials with external service for a token.
    • Credential plugin returns token to client-go, which uses it as a bearer token against the API server.
    • API server uses the webhook token authenticator to submit a TokenReview to the external service.
    • External service verifies the signature on the token and returns the user's username and groups.

    See also: