Authentication to the API is handled via Kubernetes service account tokens.
Except for the
/install/steward.json endpoints, every request must contain a bearer token. The HTTP header
Authorization must be set to
Bearer <token> with
<token> being a valid JWT token. This JWT token will then be used by the API to authenticate against the Kubernetes cluster.
/install/steward.json endpoint must provide a query parameter
token which contains the bootstrap token of a cluster. Such a token can only be used once and has a short (for example ~30 minutes) expiry time. The API uses it’s own service account to authenticate to Kubernetes and search the clusters for the provided bootstrap token. Once a cluster is found and the bootstrap token is still valid, the installation manifests will be returned and the token marked invalid.
API Service Account
The API needs a service account to communicate with Kubernetes. This service account should have the minimum required rights to search for clusters, mark bootstrap tokens as invalid and read a cluster’s service account token.
Such an RBAC
Role is included in the deployment manifests.