|
| 1 | +--- |
| 2 | +title: Hardening Guide - Authentication Mechanisms |
| 3 | +description: > |
| 4 | + Information on authentication options in Kubernetes and their security properties. |
| 5 | +content_type: concept |
| 6 | +weight: 90 |
| 7 | +--- |
| 8 | + |
| 9 | +<!-- overview --> |
| 10 | + |
| 11 | +Selecting the appropriate authentication mechanism(s) is a crucial aspect of securing your cluster. |
| 12 | +Kubernetes provides several built-in mechanisms, each with its own strengths and weaknesses that |
| 13 | +should be carefully considered when choosing the best authentication mechanism for your cluster. |
| 14 | + |
| 15 | +In general, it is recommended to enable as few authentication mechanisms as possible to simplify |
| 16 | +user management and prevent cases where users retain access to a cluster that is no longer required. |
| 17 | + |
| 18 | +It is important to note that Kubernetes does not have an in-built user database within the cluster. |
| 19 | +Instead, it takes user information from the configured authentication system and uses that to make |
| 20 | +authorization decisions. Therefore, to audit user access, you need to review credentials from every |
| 21 | +configured authentication source. |
| 22 | + |
| 23 | +For production clusters with multiple users directly accessing the Kubernetes API, it is |
| 24 | +recommended to use external authentication sources such as OIDC. The internal authentication |
| 25 | +mechanisms, such as client certificates and service account tokens, described below, are not |
| 26 | +suitable for this use-case. |
| 27 | + |
| 28 | +<!-- body --> |
| 29 | + |
| 30 | +## X.509 client certificate authentication {#x509-client-certificate-authentication} |
| 31 | + |
| 32 | +Kubernetes leverages [X.509 client certificate](/docs/reference/access-authn-authz/authentication/#x509-client-certs) |
| 33 | +authentication for system components, such as when the Kubelet authenticates to the API Server. |
| 34 | +While this mechanism can also be used for user authentication, it might not be suitable for |
| 35 | +production use due to several restrictions: |
| 36 | + |
| 37 | +- Client certificates cannot be individually revoked. Once compromised, a certificate can be used |
| 38 | + by an attacker until it expires. To mitigate this risk, it is recommended to configure short |
| 39 | + lifetimes for user authentication credentials created using client certificates. |
| 40 | +- If a certificate needs to be invalidated, the certificate authority must be re-keyed, which |
| 41 | +can introduce availability risks to the cluster. |
| 42 | +- There is no permanent record of client certificates created in the cluster. Therefore, all |
| 43 | +issued certificates must be recorded if you need to keep track of them. |
| 44 | +- Private keys used for client certificate authentication cannot be password-protected. Anyone |
| 45 | +who can read the file containing the key will be able to make use of it. |
| 46 | +- Using client certificate authentication requires a direct connection from the client to the |
| 47 | +API server with no intervening TLS termination points, which can complicate network architectures. |
| 48 | +- Group data is embedded in the `O` value of the client certificate, which means the user's group |
| 49 | +memberships cannot be changed for the lifetime of the certificate. |
| 50 | + |
| 51 | +## Static token file {#static-token-file} |
| 52 | + |
| 53 | +Although Kubernetes allows you to load credentials from a |
| 54 | +[static token file](/docs/reference/access-authn-authz/authentication/#static-token-file) located |
| 55 | +on the control plane node disks, this approach is not recommended for production servers due to |
| 56 | +several reasons: |
| 57 | + |
| 58 | +- Credentials are stored in clear text on control plane node disks, which can be a security risk. |
| 59 | +- Changing any credential requires a restart of the API server process to take effect, which can |
| 60 | +impact availability. |
| 61 | +- There is no mechanism available to allow users to rotate their credentials. To rotate a |
| 62 | +credential, a cluster administrator must modify the token on disk and distribute it to the users. |
| 63 | +- There is no lockout mechanism available to prevent brute-force attacks. |
| 64 | + |
| 65 | +## Bootstrap tokens {#bootstrap-tokens} |
| 66 | + |
| 67 | +[Bootstrap tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) are used for joining |
| 68 | +nodes to clusters and are not recommended for user authentication due to several reasons: |
| 69 | + |
| 70 | +- They have hard-coded group memberships that are not suitable for general use, making them |
| 71 | +unsuitable for authentication purposes. |
| 72 | +- Manually generating bootstrap tokens can lead to weak tokens that can be guessed by an attacker, |
| 73 | +which can be a security risk. |
| 74 | +- There is no lockout mechanism available to prevent brute-force attacks, making it easier for |
| 75 | +attackers to guess or crack the token. |
| 76 | + |
| 77 | +## ServiceAccount secret tokens {#serviceaccount-secret-tokens} |
| 78 | + |
| 79 | +[Service account secrets](/docs/reference/access-authn-authz/service-accounts-admin/#manual-secret-management-for-serviceaccounts) |
| 80 | +are available as an option to allow workloads running in the cluster to authenticate to the |
| 81 | +API server. In Kubernetes < 1.23, these were the default option, however, they are being replaced |
| 82 | +with TokenRequest API tokens. While these secrets could be used for user authentication, they are |
| 83 | +generally unsuitable for a number of reasons: |
| 84 | + |
| 85 | +- They cannot be set with an expiry and will remain valid until the associated service account is deleted. |
| 86 | +- The authentication tokens are visible to any cluster user who can read secrets in the namespace |
| 87 | +that they are defined in. |
| 88 | +- Service accounts cannot be added to arbitrary groups complicating RBAC management where they are used. |
| 89 | + |
| 90 | +## TokenRequest API tokens {#tokenrequest-api-tokens} |
| 91 | + |
| 92 | +The TokenRequest API is a useful tool for generating short-lived credentials for service |
| 93 | +authentication to the API server or third-party systems. However, it is not generally recommended |
| 94 | +for user authentication as there is no revocation method available, and distributing credentials |
| 95 | +to users in a secure manner can be challenging. |
| 96 | + |
| 97 | +When using TokenRequest tokens for service authentication, it is recommended to implement a short |
| 98 | +lifespan to reduce the impact of compromised tokens. |
| 99 | + |
| 100 | +## OpenID Connect token authentication {#openid-connect-token-authentication} |
| 101 | + |
| 102 | +Kubernetes supports integrating external authentication services with the Kubernetes API using |
| 103 | +[OpenID Connect (OIDC)](/docs/reference/access-authn-authz/authentication/#openid-connect-tokens). |
| 104 | +There is a wide variety of software that can be used to integrate Kubernetes with an identity |
| 105 | +provider. However, when using OIDC authentication for Kubernetes, it is important to consider the |
| 106 | +following hardening measures: |
| 107 | + |
| 108 | +- The software installed in the cluster to support OIDC authentication should be isolated from |
| 109 | +general workloads as it will run with high privileges. |
| 110 | +- Some Kubernetes managed services are limited in the OIDC providers that can be used. |
| 111 | +- As with TokenRequest tokens, OIDC tokens should have a short lifespan to reduce the impact of |
| 112 | +compromised tokens. |
| 113 | + |
| 114 | +## Webhook token authentication {#webhook-token-authentication} |
| 115 | + |
| 116 | +[Webhook token authentication](/docs/reference/access-authn-authz/authentication/#webhook-token-authentication) |
| 117 | +is another option for integrating external authentication providers into Kubernetes. This mechanism |
| 118 | +allows for an authentication service, either running inside the cluster or externally, to be |
| 119 | +contacted for an authentication decision over a webhook. It is important to note that the suitability |
| 120 | +of this mechanism will likely depend on the software used for the authentication service, and there |
| 121 | +are some Kubernetes-specific considerations to take into account. |
| 122 | + |
| 123 | +To configure Webhook authentication, access to control plane server filesystems is required. This |
| 124 | +means that it will not be possible with Managed Kubernetes unless the provider specifically makes it |
| 125 | +available. Additionally, any software installed in the cluster to support this access should be |
| 126 | +isolated from general workloads, as it will run with high privileges. |
| 127 | + |
| 128 | +## Authenticating proxy {#authenticating-proxy} |
| 129 | + |
| 130 | +Another option for integrating external authentication systems into Kubernetes is to use an |
| 131 | +[authenticating proxy](/docs/reference/access-authn-authz/authentication/#authenticating-proxy). |
| 132 | +With this mechanism, Kubernetes expects to receive requests from the proxy with specific header |
| 133 | +values set, indicating the username and group memberships to assign for authorization purposes. |
| 134 | +It is important to note that there are specific considerations to take into account when using |
| 135 | +this mechanism. |
| 136 | + |
| 137 | +Firstly, securely configured TLS must be used between the proxy and Kubernetes API server to |
| 138 | +mitigate the risk of traffic interception or sniffing attacks. This ensures that the communication |
| 139 | +between the proxy and Kubernetes API server is secure. |
| 140 | + |
| 141 | +Secondly, it is important to be aware that an attacker who is able to modify the headers of the |
| 142 | +request may be able to gain unauthorized access to Kubernetes resources. As such, it is important |
| 143 | +to ensure that the headers are properly secured and cannot be tampered with. |
0 commit comments