I need to implement a custom authentication and authorisation module for Kubernetes. This is going to have to be done via a web hook.
The documentation for the authentication and authorisation webhooks describes a config file that the API Server needs to be started with.
The config file looks identical for both authentication and authorisation and looks like this:
# clusters refers to the remote service.
clusters:
- name: name-of-remote-authn-service
cluster:
certificate-authority: /path/to/ca.pem # CA for verifying the remote service.
server: https://authn.example.com/authenticate # URL of remote service to query. Must use 'https'.
# users refers to the API server's webhook configuration.
users:
- name: name-of-api-server
user:
client-certificate: /path/to/cert.pem # cert for the webhook plugin to use
client-key: /path/to/key.pem # key matching the cert
# kubeconfig files require a context. Provide one for the API server.
current-context: webhook
contexts:
- context:
cluster: name-of-remote-authn-service
user: name-of-api-sever
name: webhook
I can see that the clusters
section refers to the remote service, i.e. it's defining the webhook, thereby answering the question the API Server needs to have answered: "what is the URL endpoint to hit when an authn/authz decision is required, and when I connect via HTTPS, who is the CA authority for the webhook's TLS certificate so that I know I can trust the remote webhook?"
I'm not sure of the users
section. What is the purpose of the client-certificate
and client-key
fields? The comment in the file says "cert for the webhook plugin to use", but as this config file is given to the API Server, not the web hook, I don't understand what this means. Is this a certificate that will allow the webhook service to authenticate the connection that the API Server will initiate with it? i.e. the client certificate needs to go into the truststore of the webhook server?
Are both of these assumptions correct?
Kubernetes webhook is using two-way SSL authentication, so the fields in
users
section is used to configure the certificates for "client side's authentication".clusters
section configuration just works normal one way SSL authentication, which is server (here is your webhook module) will validate client's (here is Kubernetes) request with configured certificate.As long as you configured certificates in
users
section, client (Kubernetes) could have the ability to validate server's (webhook module) response, just acting like a reverse CA authentication of one way SSL.