Certificate Authentication

Note

For this guide, you will need the user-ca.crt and user-ca.key files, which wer provided at the initial cluster setup.

Vanilla Kubernetes supports authenticating users to your cluster via X.509 Client Certificate Authentication. This authentication method works out of the box for Keisson clusters.

Certificate Authentication is a great choice for authenticating real human users of the cluster, as certificates can be given long lifetimes, and the use of asymmetric digital signatures means a private key is harder for a user to accidentally send to an attacker via phishing or Man-In-The-Middle attack.

User CA

Your cluster has a Certificate Authority which is responsible for signing user certificates this Certificate Authority is unique to your cluster.

Any certificate signed by this CA will be explicitly trusted by your cluster, and can be used to authenticate a user. Kubernetes maps the Common Name (CN) to the authenticated username, and the Organisation names to the authenticated user groups.

Warning

Kubernetes does not support certificate revocation: any certificate issued with the User CA will be trusted unconditionally by your cluster until its expiry date.

If your User CA becomes compromised, please contact us and we will rotate it for you.