Saiyam Pathak avatar
By Saiyam Pathak
Director of Technical Evangelism


Learn how authentication works in Kubernetes and how to authenticate a specific cluster in your environment.


Authentication of a Kubernetes cluster

Hi, in this video, we'll be doing a Kubernetes authentication demo, and we'll try to curl the Kubernetes API endpoint by passing it via a token. So, first, let's see the configuration by running the command kubectl config view. It will tell you some details about the cluster, which is the API server endpoint, the name of the cluster, Kubernetes, and the current context that we are using, and also about the certificate data.

You can see all the Kube config data by running the cat ~/.kube/config command. So, you can see the data, the certificates, and the cluster certificate authority data. And, what we are going to do is run the command, cat

So, you can get the cluster name from this command, but we already have seen it in the config view, so I'll export that by running export CLUSTER_NAME= "kubernetes". Then, we will run kubectl config view.

You will see the API server endpoint. And, if we directly try to call it, maybe a slash version, so it just gives the SUDBS endpoints, which means we need to pass some additional parameters. So, let's do that and get the API server by running the command APISERVER=[server URL from config view].

You can use the simple command such as, APISERVER=$(kubectl config view -o jsonpath=“{.clusters[?(\“$CLUSTER_NAME\”)].cluster.server}”).

It will give you the API server endpoint. In Kubernetes, a secret is created with it when the cluster is created. Run the command "kubectl get secret". In this particular case, you will see that it is the default. So, what we want is the token. The token we will get is the encoded token, and we need to decode it. So, we need the decoded token, and we need to pass that as a header when we are doing the curl command to the API server.

So, let's do that, and a very simple command for that is “TOKEN=$(kubectl get secrets -o jsonpath=“{.items[?(@.metadata.annotations[‘kubernetes\.io/service-account\.name’]==‘default’)].data.token}”|base64 -d). So, we get the secret and the service account token and then we will store that.

So, we have the cluster name, we have the API server, and we have the token. Now again, we'll run the curl command, but this time, we are going to pass the CSRF, and we are going to pass the header. In the header, we'll give the authorization via a token so that we can tell that the particular user that is trying to access the API server is genuine and that the API server will check the authenticity, the authentication via the token that is passed, and the command should work. And so we would be able to make a call. So, run the command TOKEN=$(kubectl get secrets -o jsonpath=“{.items[?(@.metadata.annotations[‘kubernetes\.io/service-account\.name’]==‘default’)].data.token}”|base64 -d) and we will get the output.


This was a basic demo of just calling the API server using the curl command and passing the token and the certificate. So, that's it for this lecture. Thanks for watching. See you in the next one.

Don't stop now, check out your next lesson