|
| 1 | +--- |
| 2 | +description: > |
| 3 | + How to authenticate requests to kcp. |
| 4 | +--- |
| 5 | + |
| 6 | +# Authentication |
| 7 | + |
| 8 | +KCP implements the same authentication mechanisms as Kubernetes, allowing the use of Kubernetes authentication strategies. The KCP server can also be configured to generate a local admin.kubeconfig file and a token hash file, enabling access to KCP as a shard admin. This authentication mechanism is then added to any existing Kubernetes authentication strategies from generic control plane settings. |
| 9 | + |
| 10 | +## KCP server admin authentication |
| 11 | + |
| 12 | +Admin Authenticator sets up user roles and groups and generates authentication tokens. The authentication process relies on Kubernetes groups authentication. |
| 13 | + |
| 14 | +### Users and Groups |
| 15 | + |
| 16 | +| **User Name** | **Role** | **Groups** | |
| 17 | +|----------------|------------------------------------------------------------------------------------------------------------|----------------------------------------------| |
| 18 | +| **shard-admin** | Member of the privileged system group. This user bypasses most KCP authorization checks. | system:masters, system:authenticated | |
| 19 | +| **kcp-admin** | Member of the system:kcp:workspace:admin and system:kcp:workspace:access groups. This user is subject to KCP authorization checks. | system:kcp:workspace:admin | |
| 20 | +| **user** | Regular non-admin user who is not a part of any predefined groups. | None | |
| 21 | + |
| 22 | +### Generated kubeconfig contexts |
| 23 | + |
| 24 | +KCP server generates a kubeconfig file (admin.kubeconfig) containing credentials for the predefined users. This file allows users to authenticate into different logical clusters. |
| 25 | + |
| 26 | +| **Context Name** | **Cluster Endpoint** | |
| 27 | +|------------------|----------------------| |
| 28 | +| **root** | /clusters/root | |
| 29 | +| **base** | /clusters/base | |
| 30 | +| **system:admin** | /clusters/system:admin | |
| 31 | +| **shard-base** | /clusters/base | |
| 32 | + |
| 33 | + |
| 34 | + |
| 35 | +## KCP Front Proxy Authentication |
| 36 | + |
| 37 | +The kcp-front-proxy is a reverse proxy that accepts client certificates and forwards Common Name and Organizations to backend API servers in HTTP headers. The proxy terminates TLS and communicates with API servers via mTLS. Traffic is routed based on paths. |
| 38 | + |
| 39 | +There are enabled four authentication strategies in union. |
| 40 | + |
| 41 | +* Client certificate |
| 42 | +* Token file |
| 43 | +* Service account |
| 44 | +* OIDC |
| 45 | + |
| 46 | +### Authentication flow with client certificate |
| 47 | + |
| 48 | +``` mermaid |
| 49 | +flowchart |
| 50 | + n1@{ label: "Rectangle" } |
| 51 | + n1["A client sends a request |
| 52 | + with a client certificate."] --- n2 |
| 53 | + n2["The proxy verifies the |
| 54 | + certificate against a trusted CA."] --- n3 |
| 55 | + n3["Filters specified |
| 56 | + groups from requests."] --- n4 |
| 57 | + n4["Extracts the user and |
| 58 | + groups and passing them |
| 59 | + as HTTP access headers."] --- n5["Forwards the request |
| 60 | + to the KCP API server."] |
| 61 | +``` |
| 62 | + |
| 63 | +### Groups filter |
| 64 | + |
| 65 | +KCP Front Proxy drops or passes specific system groups before forwarding requests. |
| 66 | +These can be passed by setting `--authentication-pass-on-groups` and `--authentication-drop-groups` flags. They accept a comma-separated list of group names. |
| 67 | + |
| 68 | +By default, proxy is configured to drop `system:masters` and `system:kcp:logical-cluster-admin`. |
| 69 | +This ensures that highly privileged users, do not receive elevated access when passing through the proxy. |
| 70 | + |
| 71 | +## Pages |
| 72 | + |
| 73 | +{% include "partials/section-overview.html" %} |
0 commit comments