Questions : Users in Kubernetes

jssim710 · March 3, 2024, 6:13am

Hello, Team!

I want to knox how Kubernetes manages its user. The official documentation says that no API object for user.
But still the admin can make rolebinding / clusterrolebinding to user with kubectl create rolebinding|clusterrolebinding --user command.
I found that there exist several methods to authenticate who the user is: client certificates, bearer tokens, an authenticating proxy, or HTTP basic auth.
Here’s my questions:

Q1-1) Is the users in ~/.kube/config should be authenticated via any of the authentication methods (client certificates,…)?

Q1-2) When I add jane to ~/.kube/config, should the users.name match with the certificate’s /CN or the name in the ~/.kube/config is just a nickname? I tried kubectl get pods --as kubernetes-admin where kubernetes-admin is in ~/.kube/config, but it returns an Error (forbidden)

Q1-3) Is there any way to get all authenticated users? I tried kubectl get csr but It did not show kubernetes-admin in ~/.kube/config

Alistair_KodeKloud · March 3, 2024, 6:34am

@adityasamant.learnin created a very useful blog post on how authentication works in Kubernetes. Perhaps he would be good enough to post the link here as I can’t remember it.

Alistair_KodeKloud · March 3, 2024, 6:37am

There is also this document that I wrote that explains the relationship between user names, CSRs and certificates.

adityasamant.learnin · March 3, 2024, 7:03am

This is the link to the blog post I created.

adityasamant.learnin · March 3, 2024, 7:07am

I’ve explained it in a video as well, which is available on YouTube.

Alistair_KodeKloud · March 3, 2024, 10:41am

Thanks @adityasamant.learnin !