Authentication in PMK

PMK provides a layer of multi-tenancy on top of Kubernetes, so that you and members of your organization can collaborate and utilize multiple Kubernetes clusters across different teams and geographical regions.

Read more about PMK multitenancy here

PMK achieves the multitenancy using an open source component called Keystone. Each deployment of PMK comes with an instance of Keystone, deployed in the PMK Management Plane.

Configure Authentication for a Cluster

When your PMK deployment is first created, a new user account with Administrator role is created in Keystone within the ‘service’ tenant for authorized user designated for this. If you signup for Platform9 Managed Kubernetes Free Tier, a new user account with Administrator role is created in the ‘service’ tenant in Keystone using your registered email address and password.

The Administrator user can then invite more users to the PMK deployment by adding them to PMK using the UI or API. This operation adds the users to Keystone with the appropriate role.

Configure External Access

In order to access your PMK clusters outside of the PMK UI, you need to have a kubeconfig file that is properly configured with either of the following:

  • an access token generated from Keystone for your user account
  • username and password for your user account stored in encrypted format

You can specify the authentication method to use while downloading the kubeconfig file through Platform9 Managed Kubernetes. Once the method is specified, the respective value is retrieved from Keystone for authentication and stored in the kubeconfig file.

Token-based authentication is a more secure way of authentication.

Once generated, a token is valid for a 24-hour duration, as compared to a username-password combination that is valid as long as the password is valid.

When you use token-based authentication, the token must be regenerated every 24 hours by downloading the kubeconfig file through the Platform9 Clarity UI. While downloading the kubeconfig file, you must select the desired authentication method as token, instead of password.

Follow the steps given below to download the kubeconfig file with a token.

  1. Click Kubernetes>API Access.
  2. Click the Download Config link for the desired cluster from the cluster list. Tokenbased Authentication

  3. Select Token as the Authentication Method and click Download Config.

The token field in the kubeconfig file is populated with the Keystone token for the user. The kubeconfig file is downloaded to the default download folder.

You can view the kubeconfig file content for the cluster by selecting the option for the respective cluster on Platform9 Clarity UI. View kubeconfig