K
Q

Adding authentication proxy in front of kubernetes

11/16/2018

I'm adding a proxy in front of kubernetes API in order to authenticate users (among other actions) with a homemade authentication system.

enter image description here

I've modified my kube configuration to have kubectl hitting the proxy. The proxy has its own kubeconfig with a valid certificate-authority-data, so I don't need any credentials on my side.

So far this is working fine, here is the minimum configuration I need locally:

clusters:
- cluster:
    server: http://localhost:8080
  name: proxy
contexts:
- context:
    cluster: proxy
  name: proxy
current-context: proxy

Now the authentication should be based on a token, that I hoped I would be able to pass as part of the kubectl request header.

I tried multiple configuration, adding a user with a token in the kubeconfig such as

clusters:
- cluster:
    server: http://localhost:8080
  name: proxy

contexts:
- context:
    cluster: proxy
    user: robin
  name: proxy
current-context: proxy

users:
- name: robin
  user:
    token: my-token

Or specifying a auth-provider such as

clusters:
- cluster:
    server: http://localhost:8080
  name: proxy

contexts:
- context:
    cluster: proxy
    user: robin
  name: proxy
current-context: proxy

users:
- name: robin
  user:
    auth-provider:
      config:
        access-token: my-token

I even tried without any user, just by adding my token as part of the preferences, as all I want is to have the token in the header

clusters:
- cluster:
    server: http://localhost:8080
  name: proxy

contexts:
- context:
    cluster: proxy
  name: proxy
current-context: proxy

preferences:
  token: my-token

But I was never able to see my-token as part of the request header on the proxy side. Dumping the request, all I got is:

GET /api/v1/namespaces/default/pods?limit=500 HTTP/1.1
Host: localhost:8080
Accept: application/json;as=Table;v=v1beta1;g=meta.k8s.io, application/json
Accept-Encoding: gzip
User-Agent: kubectl/v1.11.0 (darwin/amd64) kubernetes/91e7b4f

I am obviously missing something here, how can kubectl not pass the user information in its header? Let's say I do not have a proxy, how is the "kubectl -> kubernetes" token authentication working?

If someone has any experience at adding this kind of authentication layer between kubernetes and a client, I could use some help :)

-- Charrette
kubectl
kubernetes
proxy

Similar Questions

Is it possible to use a template inside a template with go template
Are you trying to mount a directory onto a file (or vice-versa) with kuberneters/configMap?
Can I use Cloud Router to reach a private GKE master endpoint from on-premises?
Problem pulling images when running private docker registry inside of Kubernetes

1 Answer

11/17/2018

Token credentials are only sent over TLS-secured connections. The server must be https://...

-- Jordan Liggitt
Source: StackOverflow