0

In a Certificate signing request API object for a user, you have to specify a group.

apiVersion: certificates.k8s.io/v1

kind: CertificateSigningRequest

metadata:

  name: myname

spec:

  groups:

  - system:authenticated

  request: someCertFile

  usages:

  - digital signature

  - key encipherment

  - server auth

I know some of the certificates in the cluster, like the kubelets for example, have to use this group in order to differentiate their roles in the cluster. I believe the one for kubelet is nodes:nodename or something like that.

But what does this actually signify from a user standpoint? The only thing I've found on this subject is a brief mention on the k8s docs: https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers

Tanchwa
  • 1
  • 1
  • the only thing that I could think of that this would be used for is to relate it to an RBAC role, but I haven't been able to find anything that explicitly states this. – Tanchwa Sep 13 '22 at 18:26

1 Answers1

0

Answer

After going down my hunch in it being related to RBAC, I found that Groups can also referenced in role bindings and are used to authenticate groups of subjects. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects

I ALSO found some of the default groups here: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#discovery-roles

New Question, Also (Kind-of) Answered

Can groups in certificates be used in lieu of roles and role bindings to access certain items from the cluster?

Yes, Kubernetes uses the subject TLS certificate used to access the cluster to determine the username, and by extension level of access to the account through RBAC or other authentication mechanisms. See this link: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#users-in-kubernetes

From what I've read in https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects a Group is basically just a group of subjects. Feel free to correct me if I'm wrong, but I'd assume this means that you could gain access to whatever the group is given access to through TLS authentication if you specify the group in the CSR.

Tanchwa
  • 1
  • 1