Minikube: feature request: support basic auth

Created on 29 Aug 2017 · 16Comments · Source: kubernetes/minikube

The Ansible kubernetes module can only authenticate with basic authentication, not certs. I'm sure there are other use cases for basic authentication against minikube. It would be great if there was an option at startup where the kubernetes-api would be started with the flag:
--token-auth-file=MYBASICAUTHFILE

Kube documentation here:
https://kubernetes.io/docs/admin/authentication/#static-password-file

Thank you,
Nelson

kinfeature lifecyclrotten

Source

nelson-cf

❤1

Most helpful comment

Got this finally working. The pass-file needs to be located inside the apiserver container, not in the minikube vm, which is why it ends up in a loop when starting as it cannot find the file.

My solution is a bit hacky, but it works.
I have the basic auth file stored at /Users/raja/mini/minipass with the contents
password,admin,100

Now mount this path inside /var/lib/localkube/certs (This path is shared between the minikube vm and the apiserver container).
minikube mount /Users/raja/mini/:/var/lib/localkube/certs/mini

We can now start minikube pointing to the directory like
minikube start --extra-config=apiserver.basic-auth-file=/var/lib/localkube/certs/mini/minipass --kubernetes-version=v1.10.0 --memory 6060 --cpus 4

This mounts the file inside of the apiserver and now I can authenticate using Basic Auth.

rajasaur on 5 Jul 2018

👍4

All 16 comments

You should be able to configure kubernetes using the extra-options flag documented here:
https://github.com/kubernetes/minikube/blob/master/docs/configuring_kubernetes.md
I believe you the setting you want to use is here: https://godoc.org/k8s.io/kubernetes/pkg/kubeapiserver/options#BuiltInAuthenticationOptions

aaron-prindle on 31 Aug 2017

Thank you for responding Aaron. I had tried with the following extra-options, but had no luck. I'm the first to admit I might not be doing this right. The <( echo "admin:password:100") is since it would be expecting a file rather than string, although I have also tried all of these with a string. Any help would be appreciated.

minikube start --extra-config apiserver.Authentication.PasswordFile=<( echo "admin:password:100")

minikube start --extra-config apiserver.Authentication.PasswordFile="admin:password:100"

minikube start --extra-config apiserver.PasswordFile=<( echo "admin:password:100")

minikube start --extra-config apiserver.Authentication.PasswordFileAuthenticationOptions.BasicAuthFile=<( echo "admin:password:100")

## and for what it is worth, this is how I am testing if basic auth is working
echo -n admin:password | base64
YWRtaW46cGFzc3dvcmQ=

curl -H "Authorization: Basic YWRtaW46cGFzc3dvcmQ=" https://192.168.99.100:8443/ -k
Unauthorized

nelson-cf on 4 Sep 2017

@nelson-cf @aaron-prindle Any updates on that? Thanks.

southwolf on 10 Nov 2017

I try with this:

--extra-config=apiserver.Authentication.PasswordFile.BasicAuthFile=/yourfile.csv

and it's works

bewiwi on 6 Feb 2018

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot on 7 May 2018

@bewiwi I am on windows 7 and the solution does not work for me.

I have the folloiwng in my csv file based on this resource:

admin,s3cr3t,100

My command to start in dos shell is:

  minikube start --extra-config=apiserver.Authentication.PasswordFile.BasicAuthFile=C:\Users\fnajmi\.minikube\basicauth.csv

I get the following error output:

C:\Users\fnajmi> minikube start --extra-config=apiserver.Authentication.PasswordFile.BasicAuthFile=C:\Users\fnajmi\.minikube\basicauth.csv
Starting local Kubernetes v1.10.0 cluster...
Starting VM...
Getting VM IP address...
Moving files into cluster...
Setting up certs...
Connecting to cluster...
Setting up kubeconfig...
Starting cluster components...
E0522 09:36:11.959707   17492 start.go:281] Error restarting cluster:  running cmd:
sudo kubeadm alpha phase certs all --config /var/lib/kubeadm.yaml &&
sudo /usr/bin/kubeadm alpha phase kubeconfig all --config /var/lib/kubeadm.yaml &&
sudo /usr/bin/kubeadm alpha phase controlplane all --config /var/lib/kubeadm.yaml &&
sudo /usr/bin/kubeadm alpha phase etcd local --config /var/lib/kubeadm.yaml
: Process exited with status 1
================================================================================
An error has occurred. Would you like to opt in to sending anonymized crash
information to minikube to help prevent future errors?
To opt out of these messages, run the command:
        minikube config set WantReportErrorPrompt false
================================================================================
Please enter your response [Y/n]:
Y

Note that equivalent command in gitbash shell just hangs.

farrukhnajmi on 22 May 2018

Hello,
I have the same issue described by @farrukhnajmi. However, in my case minikube is running on a Ubuntu (17.10) VM.

Below is the minikube version:
minikube version: v0.26.0

The command I ran is very similar:

minikube start --extra-config=apiserver.Authentication.PasswordFile.BasicAuthFile=~/temp/users.csv

I also logged in the minikube vm (minikube ssh) and I noticed that the apiserver docker container is down. Looking at the logs of this container I see the following error:

error: unknown flag: --Authentication.PasswordFile.BasicAuthFile

Therefore, I changed my command to something like:

minikube start --extra-config=apiserver.basic-auth-file=~/temp/users.csv

It failed again but now the container shows a different error. The error is no longer related to invalid flag. Instead, it complains that the file not found (no such file or directory). I also tried to specify a file on the minikube vm (/var/lib/localkube) but I had the same issue.

Does anyone know how to solve it?

Thanks,
Mauro

silvam11 on 23 May 2018

Seeing very same issue as @silvam11

Looking at the apiserver docker container logs, my users.csv file is not found. I cant see a way to get the file from the minikube vm into the container.

I'm using minikube version: v0.27.0

murphyki on 30 May 2018

@murphyki did you ever figure out a way to get that file into the apiserver container? I have a similar problem which I'm trying to figure out.

belminf on 29 Jun 2018

Got this finally working. The pass-file needs to be located inside the apiserver container, not in the minikube vm, which is why it ends up in a loop when starting as it cannot find the file.

My solution is a bit hacky, but it works.
I have the basic auth file stored at /Users/raja/mini/minipass with the contents
password,admin,100

Now mount this path inside /var/lib/localkube/certs (This path is shared between the minikube vm and the apiserver container).
minikube mount /Users/raja/mini/:/var/lib/localkube/certs/mini

This mounts the file inside of the apiserver and now I can authenticate using Basic Auth.

rajasaur on 5 Jul 2018

👍4

Thanks @rajasaur I will try too

silvam11 on 5 Jul 2018

@belminf no, I had given up on it! but looks like @rajasaur has a fix. Thanks @rajasaur I will try it out as well.

murphyki on 6 Jul 2018

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

fejta-bot on 5 Aug 2018

@rajasaur - Your solution works for me. minikube 0.28.2. It didnt work for me in the 0.25 version. Thanks :)

abhaybhargav on 18 Aug 2018

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

fejta-bot on 17 Sep 2018

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.