Authentication for Kubernetes

In this document, we will create an authKey that will give Pliant cluster-admin access on a Kubernetes cluster.

Prerequisites:

• The cluster API must be reachable from the Pliant instance over the network

• You must have access to the cluster via the kubectl utility as a cluster-admin

Note: Instructions updated for Kubernetes version 1.24 and later. Earlier K8s versions have a different behavior

Kubernetes Cluster with Internet Access

1. Find your Kubernetes API host

   CONTEXT=$(kubectl config current-context)
   CLUSTER=$(kubectl config view -o json | jq -r --arg context "${CONTEXT}" '.contexts[] | select(.name == $context) | .context.cluster')
   kubectl config view -o json | jq -r --arg cluster "${CLUSTER}" '.clusters[] | select(.name == $cluster) | .cluster.server'| cut -d'/' -f3

2. Run this command to create a new ServiceAccount, ClusterRoleBinding, and Secret on your Kubernetes cluster

   kubectl apply -f https://distributor.pliant.io/pliant-control.yaml

3. Get the token for the new cluster-admin user. This token will give full cluster admin privileges to the bearer.

   echo $(kubectl -n kube-system get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='pliant-control')].data.token}"|awk '{print $1}'|base64 --decode)

4. Copy out the decoded token

   

5. Create a new authKey for the Kubernetes service. Be sure to include the TCP port for the API if it is not using the default (443) Use the token value as the API Key.

   

Kubernetes Cluster without Internet Access

1. On your host with kubectl access, create a new file called “pliant-control.yaml” with a text editor

2. Paste in the following content and save the file:

   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: pliant-control
     namespace: kube-system
   ---
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: pliant-control
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: cluster-admin
   subjects:
   - kind: ServiceAccount
     name: pliant-control
     namespace: kube-system
   ---
   apiVersion: v1
   kind: Secret
   metadata:
     name: pliant-control
     annotations:
       kubernetes.io/service-account.name: "pliant-control"
     namespace: kube-system
   type: kubernetes.io/service-account-token

3. Use this command to apply the yaml and create the user:

kubectl apply -f pliant-control.yaml

4. Find your Kubernetes API host

CONTEXT=$(kubectl config current-context)
CLUSTER=$(kubectl config view -o json | jq -r --arg context "${CONTEXT}" '.contexts[] | select(.name == $context) | .context.cluster')
kubectl config view -o json | jq -r --arg cluster "${CLUSTER}" '.clusters[] | select(.name == $cluster) | .cluster.server'| cut -d'/' -f3

5. Now we can get the token for the new cluster-admin user. This token will give full cluster admin privileges to the bearer.

echo $(kubectl -n kube-system get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='pliant-control')].data.token}"|base64 --decode)

6. Copy out the decoded token

7. Create a new authKey for the Kubernetes service. Be sure to include the TCP port for the API if it is not using the default (443) Use the token value as the API Key.