# Kubelet Authentication & Authorization

{{#include ../../../banners/hacktricks-training.md}}

## Kubelet Authentication <a href="#kubelet-authentication" id="kubelet-authentication"></a>

[**Kutoka kwenye docss:**](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/)

Kwa default, maombi kwa mwisho wa HTTPS wa kubelet ambayo hayakukataliwa na mbinu nyingine za uthibitishaji zilizowekwa yanachukuliwa kama maombi ya kutotambulika, na yanapewa **jina la mtumiaji `system:anonymous`** na **kikundi cha `system:unauthenticated`**.

Mbinu **3** za uthibitishaji ni:

- **Kutotambulika** (default): Tumia kuweka param **`--anonymous-auth=true` au usanidi:**
```json
"authentication": {
"anonymous": {
"enabled": true
},
```
- **Webhook**: Hii itawawezesha **API bearer tokens** za kubectl kama idhini (token yoyote halali itakuwa halali). Ruhusu kwa:
- hakikisha kundi la API `authentication.k8s.io/v1beta1` limewezeshwa katika seva ya API
- anzisha kubelet na bendera za **`--authentication-token-webhook`** na **`--kubeconfig`** au tumia mipangilio ifuatayo:
```json
"authentication": {
"webhook": {
"cacheTTL": "2m0s",
"enabled": true
},
```
> [!NOTE]
> Kubelet inaita **`TokenReview` API** kwenye seva ya API iliyowekwa ili **kubaini taarifa za mtumiaji** kutoka kwa alama za kubeba

- **X509 client certificates:** Ruhusu kuthibitisha kupitia X509 client certs
- angalia [apiserver authentication documentation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#x509-client-certs) kwa maelezo zaidi
- anza kubelet na bendera `--client-ca-file`, ukitoa pakiti ya CA ili kuthibitisha vyeti vya wateja. Au kwa usanidi:
```json
"authentication": {
"x509": {
"clientCAFile": "/etc/kubernetes/pki/ca.crt"
}
}
```
## Kubelet Authorization <a href="#kubelet-authentication" id="kubelet-authentication"></a>

Maombi yoyote ambayo yamefanikiwa kuthibitishwa (ikiwemo maombi ya kutotambulika) **yanaruhusiwa**. Njia ya **kuthibitisha** ya **`AlwaysAllow`** **inaruhusu maombi yote**.

Hata hivyo, thamani nyingine inayowezekana ni **`webhook`** (ambayo ndio utakuwa **ukiona zaidi huko nje**). Njia hii itafanya **ukaguzi wa ruhusa za mtumiaji aliyeidhinishwa** ili kuruhusu au kukataa kitendo.

> [!WARNING]
> Kumbuka kwamba hata kama **uthibitisho wa kutotambulika umewezeshwa**, **upatikanaji wa kutotambulika** huenda **usiwe na ruhusa** za kufanya kitendo chochote.

Kuthibitisha kupitia webhook kunaweza kuwekewa mipangilio kwa kutumia **param `--authorization-mode=Webhook`** au kupitia faili ya usanidi na:
```json
"authorization": {
"mode": "Webhook",
"webhook": {
"cacheAuthorizedTTL": "5m0s",
"cacheUnauthorizedTTL": "30s"
}
},
```
Kubelet inaita **`SubjectAccessReview`** API kwenye seva ya API iliyowekwa ili **kuamua** ikiwa kila ombi lime **idhinishwa.**

Kubelet inaruhusu maombi ya API kwa kutumia njia ile ile ya [attributes za ombi](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#review-your-request-attributes) kama apiserver:

- **Kitendo**

| Kitenzi cha HTTP | kitenzi cha ombi                                                                                                                                                  |
| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| POST             | kuunda                                                                                                                                                        |
| GET, HEAD       | pata (kwa rasilimali binafsi), orodha (kwa makundi, ikiwa ni pamoja na maudhui kamili ya kitu), angalia (kwa kuangalia rasilimali binafsi au kundi la rasilimali) |
| PUT              | sasisha                                                                                                                                                        |
| PATCH            | patch                                                                                                                                                         |
| DELETE           | futa (kwa rasilimali binafsi), futakoleksiyoni (kwa makundi)                                                                                         |

- **Rasilimali** inayozungumza na Kubelet api ni **daima** **nodes** na **subresource** inapatikana kutoka kwa njia ya ombi linalokuja:

| Kubelet API  | rasilimali | subresource |
| ------------ | --------- | ----------- |
| /stats/\*    | nodes     | stats       |
| /metrics/\*  | nodes     | metrics     |
| /logs/\*     | nodes     | log         |
| /spec/\*     | nodes     | spec        |
| _rasilimali zingine zote_ | nodes     | proxy       |

Kwa mfano, ombi lifuatalo lilijaribu kufikia taarifa za pods za kubelet bila ruhusa:
```bash
curl -k --header "Authorization: Bearer ${TOKEN}" 'https://172.31.28.172:10250/pods'
Forbidden (user=system:node:ip-172-31-28-172.ec2.internal, verb=get, resource=nodes, subresource=proxy)
```
- Tulipata **Forbidden**, hivyo ombi **lilipita ukaguzi wa Uthibitishaji**. La sivyo, tungekuwa na ujumbe wa `Unauthorised` tu.
- Tunaweza kuona **jina la mtumiaji** (katika kesi hii kutoka kwa token)
- Angalia jinsi **rasilimali** ilikuwa **nodes** na **subresource** **proxy** (ambayo ina maana na taarifa za awali)

## References

- [https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/)

{{#include ../../../banners/hacktricks-training.md}}