Identity Management and Authentication
Identity Management and Authentication
Kubernetes authentication determines user identity before RBAC authorization. Unlike authorization, Kubernetes delegates authentication to external systems through various mechanisms. Understanding authentication options helps architects choose appropriate identity management strategies for their organizations.
X.509 client certificates provide basic authentication suitable for small deployments. The Kubernetes API server validates certificates signed by a trusted CA. The certificate's common name becomes the username, and organization fields become groups. While simple to implement, certificate management becomes complex at scale, and revocation requires CA infrastructure.
OpenID Connect (OIDC) integration enables enterprise identity provider integration. Popular providers like Azure AD, Google, Okta, and Keycloak support OIDC. This integration provides single sign-on, multi-factor authentication, and centralized user management. OIDC tokens contain claims that map to Kubernetes users and groups, enabling dynamic RBAC based on enterprise directory groups.
# API server configuration for OIDC authentication
apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
apiServer:
extraArgs:
oidc-issuer-url: "https://login.company.com"
oidc-client-id: "kubernetes"
oidc-username-claim: "email"
oidc-groups-claim: "groups"
oidc-groups-prefix: "oidc:"
oidc-username-prefix: "oidc:"
# Optional: CA certificate for OIDC provider
oidc-ca-file: "/etc/kubernetes/pki/oidc-ca.crt"
# Optional: Required claim for additional validation
oidc-required-claim: "aud=kubernetes"
---
# Example RBAC binding for OIDC groups
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: oidc-cluster-admins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: Group
name: "oidc:kubernetes-admins"
apiGroup: rbac.authorization.k8s.io
---
# Service account with OIDC token projection
apiVersion: v1
kind: ServiceAccount
metadata:
name: workload-identity
namespace: production
annotations:
# GKE Workload Identity
iam.gke.io/gcp-service-account: "[email protected]"
# EKS IRSA
eks.amazonaws.com/role-arn: "arn:aws:iam::123456789012:role/app-role"
Service account authentication handles pod-to-API server communication. Each pod receives a service account token mounted as a volume. Recent Kubernetes versions support bound service account tokens with audience, expiration, and object binding. These improvements reduce token theft risks and enable workload identity features in cloud environments.