Authentication and Authorization
This section outlines the different authentication and authorization mechanisms supported by the Kubernetes C# client. The client offers various options for interacting with Kubernetes clusters, including using kubeconfig files, service accounts, and in-cluster configurations.
Kubeconfig Files
The BuildConfigFromConfigFile
function allows the client to load configuration settings from a standard kubeconfig file. This is the most common and versatile method for authentication.
Example:
// Load configuration from kubeconfig file
var config = KubernetesClientConfiguration.BuildConfigFromConfigFile("path/to/kubeconfig");
// Create a new Kubernetes client
var client = new Kubernetes(config);
Service Accounts
When running within a Kubernetes cluster, the client can leverage the in-cluster service account for authentication. This is achieved using the InClusterConfig
function.
Example:
// Load configuration from in-cluster service account
var config = KubernetesClientConfiguration.InClusterConfig();
// Create a new Kubernetes client
var client = new Kubernetes(config);
Managed Identities with Azure Kubernetes Service (AKS)
The C# SDK supports authenticating with AKS clusters using managed identities. The kubelogin
tool is used for this purpose.
Prerequisites:
- Enable AAD support on your AKS cluster.
- Create a managed identity for your AKS cluster.
- Grant the managed identity appropriate RBAC permissions on the cluster.
- Assign the managed identity to your VM.
- Install the
kubelogin
tool on your machine.
Example:
// Replace the following placeholders with your actual values
// server - Address of your AKS cluster
// clientid - Client ID of your managed identity
// kubelogin - Path to the kubelogin executable
dotnet run server=server clientid=clientid kubelogin=kubelogin
Other Authentication Methods
The Kubernetes C# client supports additional authentication mechanisms, such as:
- Basic Authentication: Use the
BasicAuthenticationCredentials
class to provide a username and password for authentication. - Token-Based Authentication: Utilize the
TokenCredentials
class and anITokenProvider
implementation (e.g.,StringTokenProvider
) to provide an access token.
Authorization
The Kubernetes C# client relies on the authorization mechanisms implemented by the Kubernetes API server. The client automatically includes the appropriate authorization headers in requests, based on the authentication method used.
Reference:
- tree/master/src/LibKubernetesGenerator
- examples/aks-kubelogin/README.md
- doc/index.md
- README.md
- src/KubernetesClient/Authentication/BasicAuthenticationCredentials.cs
- src/KubernetesClient/Authentication/TokenCredentials.cs
- src/KubernetesClient/Authentication/StringTokenProvider.cs
- src/KubernetesClient/Authentication/ServiceClientCredentials.cs
- src/KubernetesClient/Authentication/ITokenProvider.cs
- src/KubernetesClient/Authentication/TokenFileAuth.cs
- swagger.json
- src/KubernetesClient.Aot/KubeConfigModels/UserCredentials.cs
Top-Level Directory Explanations
examples/ - This directory contains example projects and usage scenarios for the Kubernetes client library.
examples/csrApproval/ - This subdirectory contains examples of handling certificate signing requests (CSR) in Kubernetes.
src/ - This directory contains the source code for the project.
src/KubernetesClient.Aot/ - This subdirectory contains ahead-of-time (AOT) compiled code for the Kubernetes client library.
src/KubernetesClient.Aot/KubeConfigModels/ - This subdirectory contains AOT compiled model classes for working with Kubernetes configuration files.
src/KubernetesClient/ - This subdirectory contains the main Kubernetes client library source code.
src/KubernetesClient/Authentication/ - This subdirectory contains authentication-related code for the Kubernetes client library.
src/KubernetesClient/Autorest/ - This subdirectory contains Autorest code for generating client code from OpenAPI definitions.
src/KubernetesClient/KubeConfigModels/ - This subdirectory contains model classes for working with Kubernetes configuration files.
src/KubernetesClient/LeaderElection/ - This subdirectory contains code for implementing leader election in the Kubernetes client library.
tests/ - This directory contains test code for the project.
tests/KubernetesClient.Tests/ - This subdirectory contains tests for the main implementation of the Kubernetes client library.
tests/KubernetesClient.Tests/assets/ - This subdirectory contains test assets.