K3s: [Question] Certificate authentication and cert issuing via Certificate API. Have these features been removed?

Created on 19 Mar 2019  路  8Comments  路  Source: k3s-io/k3s

I would like to authenticate users via client certificate, but I've got stuck.
I've tried to find information about setting up user authentication, but only found in the apiserver commandline arguments and the kubeconfig that it uses HTTP basic auth by default.
Is the content of the htpasswd file managed by k3s? If so, how can we add new entries?

I've also tried to issue a new client certificate via the Certifcates API as k3s kubectl api-versions show it's supported. (This is how I tried: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster and it works on other clusters)
But after approving the CSR with k3s kubectl certificate approve ... the CSR only goes to "Approved" state and not "Approved,Issued", and there is no .status.certificate field.

Without these I've tried to sign my CSR directly using the CA cert, and I wasn't able to authenticate (I'm not sure I've used correct cert files).

Are these the expected behaviors and it's better to forget cert auth to integrate with, or should I report it as bug?
I'm using k3s v0.2.0 (amd64)

kinquestion
Source
picture zsolt-keseru-epam

All 8 comments

I've found the server authentication code meanwhile, and as I see it uses the upstream k8s authenticator so I guess certificate authentication should work.
Maybe I've created a wrong client certificate without the Certificate API.

zsolt-keseru-epam picture zsolt-keseru-epam on 20 Mar 2019

Does this work? I am using the stable/cockroachdb helm chart on k8s installed via kubeadm, and this system with k3s - only the kubeadm based system issues the approved CSRs.

iluminae picture iluminae on 23 Apr 2019

How's it going?

huapox picture huapox on 28 May 2019

@zsolt-keseru-epam

huapox picture huapox on 28 May 2019

@huapox I didn't have the chance to investigate this deeper as we decided to move with other solution for a start.
Although now I have checked that certificate issuing is still not working in 0.5.0

zsolt-keseru-epam picture zsolt-keseru-epam on 29 May 2019

I've tested the version 0.7.0-rc2 , it seems works after #359

update: 190728:
bug got this:

kc --kubeconfig=koper.kubeconfig get pod
error: You must be logged in to the server (Unauthorized)

k3s server's log:

server_1    | E0728 19:15:27.324625       8 authentication.go:65] Unable to authenticate the request due to an error: x509: certificate signed by unknown authority
huapox picture huapox on 3 Jul 2019
👍1

Tested Okay, via #684

huapox picture huapox on 3 Aug 2019
🎉1

Closing due to age.

brandond picture brandond on 5 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

giminni picture giminni  路  3Comments
joakimr-axis picture joakimr-axis  路  3Comments
kcns008 picture kcns008  路  3Comments
VictorRobellini picture VictorRobellini  路  3Comments
wpwoodjr picture wpwoodjr  路  3Comments