Authentication in PMK
PMK provides a layer of multi-tenancy on top of Kubernetes, so that you and members of your organization can collaborate and utilize multiple Kubernetes clusters across different teams and geographical regions.
Read more about PMK multitenancy here
PMK achieves the multitenancy using an open source component called Keystone. Each deployment of PMK comes with an instance of Keystone, deployed in the PMK Management Plane.
Configure Authentication for a Cluster
When your PMK deployment is first created, a new user account with Administrator role is created in Keystone within the ‘service’ tenant for authorized user designated for this. If you signup for Platform9 Managed Kubernetes Free Tier, a new user account with Administrator role is created in the ‘service’ tenant in Keystone using your registered email address and password.
The Administrator user can then invite more users to the PMK deployment by adding them to PMK using the UI or API. This operation adds the users to Keystone with the appropriate role.
Configure External Access
In order to access your PMK clusters outside of the PMK UI, you need to have a kubeconfig file that is properly configured with either of the following:
- an access token generated from Keystone for your user account
- username and password for your user account stored in encrypted format
You can specify the authentication method to use while downloading the
kubeconfig file through Platform9 Managed Kubernetes. Once the method is specified, the respective value is retrieved from Keystone for authentication and stored in the
Token-based authentication is a more secure way of authentication.
Once generated, a token is valid for a 24-hour duration, as compared to a username-password combination that is valid as long as the password is valid.
When you use token-based authentication, the token must be regenerated every 24 hours by downloading the
kubeconfig file through the Platform9 Clarity UI. While downloading the
kubeconfig file, you must select the desired authentication method as token, instead of password.
Follow the steps given below to download the
kubeconfig file with a token.
- Click Kubernetes>API Access.
Click the Download Config link for the desired cluster from the cluster list.
- Select Token as the Authentication Method and click Download Config.
The token field in the
kubeconfig file is populated with the Keystone token for the user. The
kubeconfig file is downloaded to the default download folder.
You can view the
kubeconfig file content for the cluster by selecting the option for the respective cluster on Platform9 Clarity UI.