Everything Wrong with K8s Authentication and How We Worked Around It


Authors:   Mo Khan, Margo Crawford


The presentation discusses the importance of secure identity assertion in Kubernetes clusters and presents a workaround using X.509 client certificates.
  • Impersonation proxies in Kubernetes have had critical CVEs in the past
  • Using the standard library instead of Kubernetes for critical code is safer
  • X.509 client certificates are a secure way to assert identity in Kubernetes
  • Piniped provides a workaround for revoking certificates using the cluster signing key
The presenter describes several instances where companies using impersonation proxies in Kubernetes failed to validate inputs, leading to unprivileged users becoming full cluster admins and compromising the entire infrastructure. They emphasize the importance of limiting the negative effects of a cluster compromise and designing solutions specifically for this purpose.


Kubernetes provides many flexible authentication options, but they are inaccessible to a large portion of Kubernetes users in practice. When enterprise cluster administrators have clusters across many providers or distributions of Kubernetes, they struggle to unify them under a single identity platform. Kubernetes authentication options are often not available on managed cloud provider platforms, and even on self-hosted clusters it is non-trivial to integrate with common identity technologies such as OIDC or LDAP. This session will describe common pitfalls and limitations of Kubernetes authentication and show how to work around them. We will describe how to integrate identities from OIDC/LDAP into any Kubernetes cluster, provide nice login flows for cluster users, and enable federated logins across multiple clusters. Attend this session to learn about the latest Kubernetes auth integration techniques and see what’s coming in future Kubernetes versions.