Why is kubectl not asking for a password?

1
votes

Why is kubectl not asking for a password?

  • I have created a kubernetes cluster on my server with kubeadm
  • than I installed kubectl on my local machine
  • and copied the content of /etc/kubernetes/admin.conf from my server into the file ~/.kube/config on my local machine.

Now I cann access my own cluster from my local machine with kubectl without the need of a passphrase? Why is this so?

When I want ot access my server via ssh I need of course a user/password or an allowed ssh key. Why does kubectl not ask me for a passphrase? To me it seems not to be secure enoght.

1
kuberneteskubectl
You know - you can access you server using ssh key with no entering password, right?Oleg Butuzov
Yes, only in case my ssh private key has no password - right?Ralph
This is "other" type of authentication. In simple words, the algorithm allows to public/nonsecret key to verify the identity of secret/private key owner using math operations.Oleg Butuzov
but to copy the kubernetes/admin.conf on my workstation is like to copy the root password from my server into my local file system. This is what I did not understand.Ralph
So leave it on your server and command your k8s cluster from there. On other points, an account in your kubeconfig can have a different set of privileges (not a root one) or work in a webhook mode (but that a different topic)Oleg Butuzov

1 Answers

2
votes

Kubernetes supports different authentication strategies, defined here.

Generally, Kubernetes cluster uses client certificate authentication. If you look at your ~/.kube/config file you'll see a field something like this:

- name: kubernetes-admin
  user:
    client-certificate-data: <BASE64 ENCODED X509 CERTIFICATE>
    client-key-data:  <BASE64 ENCODED PRIVATE KEY FOR THE CERTIFICATE>

You can see that the kubernetes-admin user has a client certificate data and key. This certificate is trusted by the Certificate Authority (CA) of your cluster.

When you use kubectl, it sends the client certificate data of the user to your cluster and your cluster CA verifies it. If the client is verified, then you can access the cluster.