2019-05-01 16:11:23 -05:00
---
2020-04-07 14:55:19 -04:00
layout: docs
2023-09-19 16:34:54 -07:00
page_title: Kubernetes Auth Method
2020-04-07 14:55:19 -04:00
description: >-
2022-10-11 09:34:17 -05:00
Use the Kubernetes auth method type to authenticate to Consul with a Kubernetes service account token and receive an ACL token with privileges based on JWT identity attributes. Learn how to configure auth method parameters using this reference page and example configuration.
2019-05-01 16:11:23 -05:00
---
# Kubernetes Auth Method
2020-05-13 14:14:03 -05:00
-> **1.5.0+:** This feature is available in Consul versions 1.5.0 and newer.
2019-05-01 16:11:23 -05:00
The `kubernetes` auth method type allows for a Kubernetes service account token
to be used to authenticate to Consul. This method of authentication makes it
easy to introduce a Consul token into a Kubernetes pod.
This page assumes general knowledge of [Kubernetes](https://kubernetes.io/) and
the concepts described in the main [auth method
2023-01-25 10:52:43 -06:00
documentation](/consul/docs/security/acl/auth-methods).
2019-05-01 16:11:23 -05:00
## Config Parameters
2023-01-25 10:52:43 -06:00
The following auth method [`Config`](/consul/api-docs/acl/auth-methods#config)
2019-05-01 16:11:23 -05:00
parameters are required to properly configure an auth method of type
`kubernetes`:
- `Host` `(string: <required>)` - Must be a host string, a host:port pair, or a
2020-04-06 16:27:35 -04:00
URL to the base of the Kubernetes API server.
2019-05-01 16:11:23 -05:00
- `CACert` `(string: <required>)` - PEM encoded CA cert for use by the TLS
client used to talk with the Kubernetes API. NOTE: Every line must end with a
2020-05-13 14:14:03 -05:00
newline (`\n`). If not set, system certificates are used.
2019-05-01 16:11:23 -05:00
- `ServiceAccountJWT` `(string: <required>)` - A Service Account Token
2020-04-06 16:27:35 -04:00
([JWT](https://jwt.io/ 'JSON Web Token')) used by the Consul leader to
2019-05-01 16:11:23 -05:00
validate application JWTs during login.
2020-04-06 16:27:35 -04:00
2020-05-06 13:48:04 -05:00
- `MapNamespaces` `(bool: <false>)` <EnterpriseAlert inline /> -
2023-01-25 10:52:43 -06:00
**Deprecated in Consul 1.8.0 in favor of [namespace rules](/consul/api-docs/acl/auth-methods#namespacerules).**
2020-05-06 13:48:04 -05:00
Indicates whether the auth method should attempt to map the Kubernetes namespace to a Consul
2020-01-14 10:09:29 -05:00
namespace instead of creating tokens in the auth methods own namespace. Note
that mapping namespaces requires the auth method to reside within the
`default` namespace.
2023-01-25 10:52:43 -06:00
Deprecated in Consul 1.8.0 in favor of [namespace rules](/consul/api-docs/acl/auth-methods#namespacerules).
2020-04-06 16:27:35 -04:00
2020-05-06 13:48:04 -05:00
- `ConsulNamespacePrefix` `(string: <optional>)` <EnterpriseAlert inline /> -
2023-01-25 10:52:43 -06:00
**Deprecated in Consul 1.8.0 in favor of [namespace rules](/consul/api-docs/acl/auth-methods#namespacerules).**
2020-05-06 13:48:04 -05:00
When `MapNamespaces` is enabled, this value will be prefixed to the Kubernetes
2020-01-14 10:09:29 -05:00
namespace to determine the Consul namespace to create the new token within.
2023-01-25 10:52:43 -06:00
Deprecated in Consul 1.8.0 in favor of [namespace rules](/consul/api-docs/acl/auth-methods#namespacerules).
2020-01-14 10:09:29 -05:00
2020-04-23 15:13:18 -07:00
- `ConsulNamespaceOverrides` `(map: <string:string>)` <EnterpriseAlert inline /> -
2023-01-25 10:52:43 -06:00
**Deprecated in Consul 1.8.0 in favor of [namespace rules](/consul/api-docs/acl/auth-methods#namespacerules).**
2020-01-14 10:09:29 -05:00
This field is a mapping of Kubernetes namespace names to Consul namespace
names. If a Kubernetes namespace is present within this map, the value will
be used without adding the `ConsulNamespacePrefix`. If the value in the map
is `""` then the auth methods namespace will be used instead of attempting
to determine an alternate namespace.
2023-01-25 10:52:43 -06:00
Deprecated in Consul 1.8.0 in favor of [namespace rules](/consul/api-docs/acl/auth-methods#namespacerules).
2019-05-01 16:11:23 -05:00
### Sample Config
```json
{
2023-09-19 16:34:54 -07:00
"Name": "example-k8s-auth",
"Type": "kubernetes",
"Description": "Example JWT auth method",
2019-05-01 16:11:23 -05:00
"Config": {
"Host": "https://192.0.2.42:8443",
"CACert": "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----\n",
"ServiceAccountJWT": "eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9..."
}
}
```
## RBAC
The Kubernetes service account corresponding to the configured
2023-01-25 10:52:43 -06:00
[`ServiceAccountJWT`](/consul/docs/security/acl/auth-methods/kubernetes#serviceaccountjwt)
2019-05-01 16:11:23 -05:00
needs to have access to two Kubernetes APIs:
2023-03-24 14:35:34 -05:00
- [**TokenReview**](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/)
2019-05-01 16:11:23 -05:00
2020-04-08 20:09:01 -04:00
-> Kubernetes should be running with `--service-account-lookup`. This is
defaulted to true in Kubernetes 1.7, but any versions prior should ensure
the Kubernetes API server is started with this setting.
2019-05-01 16:11:23 -05:00
2023-03-24 14:35:34 -05:00
- [**ServiceAccount**](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens)
2019-05-01 16:11:23 -05:00
The following is an example
[RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
configuration snippet to grant the necessary permissions to a service account
named `consul-auth-method-example`:
```yaml
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: review-tokens
namespace: default
subjects:
2020-04-06 16:27:35 -04:00
- kind: ServiceAccount
name: consul-auth-method-example
namespace: default
2019-05-01 16:11:23 -05:00
roleRef:
kind: ClusterRole
name: system:auth-delegator
apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service-account-getter
namespace: default
rules:
2020-04-06 16:27:35 -04:00
- apiGroups: ['']
resources: ['serviceaccounts']
verbs: ['get']
2019-05-01 16:11:23 -05:00
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: get-service-accounts
namespace: default
subjects:
2020-04-06 16:27:35 -04:00
- kind: ServiceAccount
name: consul-auth-method-example
namespace: default
2019-05-01 16:11:23 -05:00
roleRef:
kind: ClusterRole
name: service-account-getter
apiGroup: rbac.authorization.k8s.io
```
## Kubernetes Authentication Details
Initially the
2023-01-25 10:52:43 -06:00
[`ServiceAccountJWT`](/consul/docs/security/acl/auth-methods/kubernetes#serviceaccountjwt)
2019-05-01 16:11:23 -05:00
given to the Consul leader uses the TokenReview API to validate the provided
JWT. The trusted attributes of `serviceaccount.namespace`,
`serviceaccount.name`, and `serviceaccount.uid` are populated directly from the
Service Account metadata.
The Consul leader makes an additional query, this time to the ServiceAccount
API to check for the existence of an annotation of
`consul.hashicorp.com/service-name` on the ServiceAccount object. If one is
found its value will override the trusted attribute of `serviceaccount.name`
for the purposes of evaluating any binding rules.
2020-05-13 14:14:03 -05:00
## Trusted Identity Attributes
The authentication step returns the following trusted identity attributes for
use in binding rule selectors and bind name interpolation.
| Attributes | Supported Selector Operations | Can be Interpolated |
| -------------------------- | -------------------------------------------------- | ------------------- |
| `serviceaccount.namespace` | Equal, Not Equal, In, Not In, Matches, Not Matches | yes |
| `serviceaccount.name` | Equal, Not Equal, In, Not In, Matches, Not Matches | yes |
| `serviceaccount.uid` | Equal, Not Equal, In, Not In, Matches, Not Matches | yes |