Configuring Authentication to a Kubernetes Cluster

For testing and learning purposes, you might decide to start the
API server with the option 
--insecure-bind-address=0.0.0.0
,
which will bind the so-called 
localhost port
to all your network
interfaces, including the public IP address of your Kubernetes mas‐
ter node. This is handy, as you can reach your cluster at 
http://
:8080
unauthenticated, but it will be totally
insecure.
By default, Kubernetes will expose read-only access on port 7080
on all interfaces. If your firewall opens 7080 to the world, you will
offer an unauthenticated view to your cluster. However, this should
change prior to Kubernetes v1.0.
Discussion
The format used for the basic authentication and the token-based authentication are
straightforward CSV files. The 
documentation
also points to the 
code
. Keeping an eye
on these authentication plug-ins will prove useful as authentication mechanisms get
deprecated and changes occur. Currently features like expiration of tokens and pass‐
word reset are not implemented.
For example, create the following file for basic authentication in 
/tmp/auth
. It follows
the convention 
password,username,useruid
:
foobar,admin,1000
Start your API server by using hyperkube (see 
Recipe 5.11
) and the following options:
$ hyperkube apiserver --portal_net=10.0.0.1/24
--etcd_servers=http://127.0.0.1:4001
--cluster_name=kubernetes
--basic_auth_file=/tmp/auth
--v=2
The default options will be used. HTTPS will be served on port 6443, read-only
access will be available on port 7080, and the localhost port will bind only to local‐
host. If you do not open your firewall for port 7080, your Kubernetes cluster will be
available only over HTTPS with basic authentication.
Basic authentication will be deprecated in favor of token- and
client-based authentication mechanisms. This is available currently
as a convenience. The read-only access will also be removed in a
future release.

Download 6,31 Mb.

Do'stlaringiz bilan baham: