I have created private key and certificate signed by the CA of the Kubernetes API server. I have configured the user, cluster and context in the ~/.kube/config
file. Using this context where the user has client certificate and key, what is the process to make API call to the Kubernetes API server using the client-go libraries.
In this documentation one can find the following excerpt:
k8s.io/client-go
and tools using it such askubectl
andkubelet
are able to execute an external command to receive user credentials. (...)To authenticate against the API:
- The user issues a
kubectl
command.- Credential plugin prompts the user for LDAP credentials, exchanges credentials with external service for a token.
- Credential plugin returns token to client-go, which uses it as a bearer token against the API server.
- API server uses the webhook token authenticator to submit a
TokenReview
to the external service.- External service verifies the signature on the token and returns the user's username and groups.
See also: