K
Q

Unable to authenticate user in Kubernetes using x509 certs

3/19/2018

I am using the following version:

Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.1", GitCommit:"3a1c9449a956b6026f075fa3134ff92f7d55f812", GitTreeState:"clean", BuildDate:"2018-01-04T11:52:23Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.1", GitCommit:"3a1c9449a956b6026f075fa3134ff92f7d55f812", GitTreeState:"clean", BuildDate:"2018-01-04T11:40:06Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}

Here, I am trying to authenticate a user that makes use of x509 certs using the below custom scrip that I created looking into few online forums and kubernetes docs.

#!/bin/bash

cluster=test-operations-k8
namespace=demo
username=jack


openssl genrsa -out $username.pem 2048


openssl req -new -key $username.pem -out $username.csr -subj "/CN=$username"



cat <<EOF | kubectl create -n $namespace -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: user-request-$username
spec:
  groups:
  - system:authenticated
  request: $(cat $username.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF



kubectl certificate approve user-request-$username


kubectl get csr user-request-$username -o jsonpath='{.status.certificate}' | base64 -d > $username.crt

kubectl --kubeconfig ~/.kube/config-$username config set-cluster $cluster --insecure-skip-tls-verify=true --server=https://$cluster.eastus.cloudapp.azure.com
kubectl --kubeconfig ~/.kube/config-$username config set-credentials $username --client-certificate=$username.crt --client-key=$username.pem --embed-certs=true
kubectl --kubeconfig ~/.kube/config-$username config set-context $cluster --cluster=$cluster --user=$username
kubectl --kubeconfig ~/.kube/config-$username config use-context $cluster

echo "Config file for $username has been created successfully !"

But while getting resources I get the below error:

error: You must be logged in to the server (Unauthorized)

Can someone please advise what needs to be done to fix this issue ?

Also please note the appropriate roles and rolebindings have also been created which I have not listed out here.

-- Ajov Crowe
authentication
kubernetes
x509certificate

Similar Questions

Can't connect to Spark running in Kubernetes from Java
Two mariadb instance using same persistent storage in docker
kubernetes - resource limits exceeded
Kubernetes master replicate

1 Answer

3/19/2018

Make sure the CA used to sign the CSRs (the --cluster-signing-cert-file file given to kube-controller-manager) is in the --client-ca-file bundle given to kube-apiserver (which is what authenticates client certs presented to the apiserver)

Also ensure the certificate requested is a client certificate (has client auth in the usages field)

-- Jordan Liggitt
Source: StackOverflow