Using existing PKI user certs


#1

Hi

My company issues users pki certs signed by an internal company root ca. I would like to use these company issued certs for user authentication into our k8 cluster. I thought by adding the company root ca to the kube api server ca.pem file (in /etc/kubernetes/ssl) and then creating ClusterRole and ClusterRoleBindings for users it would work. It doesn’t. Any ideas if this is even possible?

Thanks!


#2

It would totally work just fine , one way we at the moment use the similar scenario in our cloud platform is to use sssd service to communicate to backend ldap server and sign the certificate for the user and authenticate him to the vm.

We are very soon going to replicate the similar scenario in our kubernetes cluster and on top of this the openstack platform. But just to answer it would totally work just like ssh keys can be consumed by sssd , nss, pam services they can also handle pki certs x509.