kubernetes-client / csharp

Authentication and Authorization

This section outlines the different authentication and authorization mechanisms supported by the Kubernetes C# client. The client offers various options for interacting with Kubernetes clusters, including using kubeconfig files, service accounts, and in-cluster configurations.

Kubeconfig Files

The BuildConfigFromConfigFile function allows the client to load configuration settings from a standard kubeconfig file. This is the most common and versatile method for authentication.

Example:

// Load configuration from kubeconfig file
          var config = KubernetesClientConfiguration.BuildConfigFromConfigFile("path/to/kubeconfig");
          // Create a new Kubernetes client
          var client = new Kubernetes(config);

Service Accounts

When running within a Kubernetes cluster, the client can leverage the in-cluster service account for authentication. This is achieved using the InClusterConfig function.

Example:

// Load configuration from in-cluster service account
          var config = KubernetesClientConfiguration.InClusterConfig();
          // Create a new Kubernetes client
          var client = new Kubernetes(config);

Managed Identities with Azure Kubernetes Service (AKS)

The C# SDK supports authenticating with AKS clusters using managed identities. The kubelogin tool is used for this purpose.

Prerequisites:

  • Enable AAD support on your AKS cluster.
  • Create a managed identity for your AKS cluster.
  • Grant the managed identity appropriate RBAC permissions on the cluster.
  • Assign the managed identity to your VM.
  • Install the kubelogin tool on your machine.

Example:

// Replace the following placeholders with your actual values
          // server - Address of your AKS cluster
          // clientid - Client ID of your managed identity
          // kubelogin - Path to the kubelogin executable
          dotnet run server=server clientid=clientid kubelogin=kubelogin

Other Authentication Methods

The Kubernetes C# client supports additional authentication mechanisms, such as:

  • Basic Authentication: Use the BasicAuthenticationCredentials class to provide a username and password for authentication.
  • Token-Based Authentication: Utilize the TokenCredentials class and an ITokenProvider implementation (e.g., StringTokenProvider) to provide an access token.

Authorization

The Kubernetes C# client relies on the authorization mechanisms implemented by the Kubernetes API server. The client automatically includes the appropriate authorization headers in requests, based on the authentication method used.

Reference:

Top-Level Directory Explanations

examples/ - This directory contains example projects and usage scenarios for the Kubernetes client library.

examples/csrApproval/ - This subdirectory contains examples of handling certificate signing requests (CSR) in Kubernetes.

src/ - This directory contains the source code for the project.

src/KubernetesClient.Aot/ - This subdirectory contains ahead-of-time (AOT) compiled code for the Kubernetes client library.

src/KubernetesClient.Aot/KubeConfigModels/ - This subdirectory contains AOT compiled model classes for working with Kubernetes configuration files.

src/KubernetesClient/ - This subdirectory contains the main Kubernetes client library source code.

src/KubernetesClient/Authentication/ - This subdirectory contains authentication-related code for the Kubernetes client library.

src/KubernetesClient/Autorest/ - This subdirectory contains Autorest code for generating client code from OpenAPI definitions.

src/KubernetesClient/KubeConfigModels/ - This subdirectory contains model classes for working with Kubernetes configuration files.

src/KubernetesClient/LeaderElection/ - This subdirectory contains code for implementing leader election in the Kubernetes client library.

tests/ - This directory contains test code for the project.

tests/KubernetesClient.Tests/ - This subdirectory contains tests for the main implementation of the Kubernetes client library.

tests/KubernetesClient.Tests/assets/ - This subdirectory contains test assets.