User Management

User Management in Kubernetes

Based on the Kubernetes Authentication documentation, Kubernetes itself does not provide direct user management features. It does not support a User object or store User objects. Instead, it supports a range of plug-ins such as X509 certificates, OpenID, Webhooks, etc. Users can interface these plug-ins with external user management systems and combine them with RBAC to implement an access control mechanism.

In fact, you can also create and manage limited users using Certificate Signing Request (CSR) or ServiceAccount.

Certificate Signing Request (CSR)

Kubernetes offers the certificates.k8s.io API, which allows you to configure TLS certificates signed by a certificate authority (CA) that you control. Workloads can use these CAs and certificates to establish trust.

Kubernetes controller manager provides a default implementation of a signer. To enable it, pass the --cluster-signing-cert-file and --cluster-signing-key-file parameters to the controller manager and configure the key pair paths for the certificate authority.

Assuming the admin kubeconfig is already configured for kubectl, the following steps can be used to create a new user configuration using openssl and CSR.

# Create client key and cert 
# Sign the client certificates
# Set up RBAC Roles
# Bind roles to the user
# Set up kubectl

ServiceAccount

ServiceAccounts are automatically generated by Kubernetes and are automatically mounted to the /var/run/secrets/kubernetes.io/serviceaccount directory of containers.

In authentication, the username format for a ServiceAccount is system:serviceaccount:(NAMESPACE):(SERVICEACCOUNT), and it belongs to two groups: system:serviceaccounts and system:serviceaccounts:(NAMESPACE).

Accessing the API from Inside a Pod

From within a Pod, you can access the API in the following way:

# Access the Kubernetes API using the ServiceAccount token and the CA certificate

Accessing the API with kubectl

Assuming the admin kubeconfig is already configured for kubectl, the following steps can be taken to create a new user configuration using ServiceAccount.

# Create sa
# Get secret and token
# Set up RBAC Roles
# Bind sa to the role
# Set up kubectl

This is the direct translation stage, preserving the original format. Now, let's rephrase it to match the style of a popular science magazine.


Managing Users without User Objects in Kubernetes

Kubernetes isn't just a powerhouse for deploying applications—it's a virtuoso of integration, as well. Even though Kubernetes does not maintain a User object for individual user management, this doesn’t prevent it from being highly flexible when it comes to user authentication.

Instead of having a built-in user database, Kubernetes opts for connective harmony with external authentication systems. Whether you're shaking hands with X509 certificates or setting up a date with OpenID, Kubernetes has the ability to secure bridges to these authentication tactics, giving you the tools to maintain a secure environment aided by RBAC (Role-Based Access Control) procedures.

For those interested in on-the-go user management, Kubernetes isn't one to disappoint. Need to handle a Certificate Signing Request (CSR)? Kubernetes gives you a stage to do that too, backed by its own certificates API.

Crafting Certificates like a Pro

Imagine this: you're the puppet master of certificates thanks to Kubernetes' certificates.k8s.io API. With a dance of parameters and a flick of command lines, you can now orchestrate TLS certificates to stand guard over your digital assets, each one backed by your very own Certificate Authority—a symphony of security at your fingertips.

It's simple. Generate those keys, define your user roles, and voila—you’ve transformed kubectl into the trusty secretary for your certificate needs.

ServiceAccounts: Kubernetes' Silent Workhorses

Enter ServiceAccounts, the unsung heroes of Kubernetes' automated world. These digital key bearers are bestowed the privilege of accessing the illustrious /var/run/secrets/kubernetes.io/serviceaccount, an inner sanctum where container secrets lay waiting.

In this realm of container services, ServiceAccounts don names that echo their origins, part of a broader caste system where groups like system:serviceaccounts reign.

The Inside Scoop: API Access

Dive into the heart of your container and discover a world where API access is as simple as reading a token and invoking the right incantation with 'curl'. With ServiceAccounts, the Kubernetes API is your oyster, ready to spill its hidden secrets to the bearer of the token.

Outfitting kubectl for the ServiceAccount Era

Have your admin kubeconfig ready? Great! Now you can easily mold ServiceAccounts to work hand in hand with kubectl, granting you the power to set up and access the Kubernetes API like never before.

Consider these handy scripts not as mere lines of code but as the brushes with which you paint your masterpieces of access control. Whether you're in the sights of pods or gazing at them from afar via kubectl, the path to API enlightenment is now clear.

And there you have it—a peek into the clever, plug-in driven universe of Kubernetes, where direct user management steps aside for a more elegant dance with digital identities and roles. With the right know-how, you can bend these features to your will, knitting a fabric of security, control, and convenience that's as impressive as the Kubernetes landscape itself.

最后更新于