3.10 Kubernetes Control Plane Authentication Path
Kubernetes Control Plane Authentication Path ensures secure access to the cluster's control plane through identity verification and role-based permissions.
Kubernetes Control Plane Authentication Path is the specific sequence a request's credentials travel through before an identity is attached to it, describing how the API server evaluates a chain of configured authenticator plugins in order, stopping at the first one able to establish an identity, rather than requiring every authenticator to agree.
A Chain, Not a Single Check
Multiple Authenticators Configured Simultaneously
The API server is architected to support multiple authenticator mechanisms configured at once, such as client certificates, bearer tokens, and integration with an external identity provider, forming a chain that an incoming request's credentials pass through in sequence.
First Success Wins
The authentication path is architected so that the chain is evaluated until one authenticator successfully establishes an identity from the presented credential; once that happens, evaluation stops, and remaining authenticators in the chain are not consulted for that request.
Certificate-Based Path
Client Certificate as a Direct Credential
When a request presents a client certificate signed by a certificate authority the API server trusts, the authentication path extracts identity information, such as a username and group memberships, directly from fields within that certificate, without any further external lookup.
Token-Based Path
Bearer Token Evaluated Against Configured Verifiers
When a request instead presents a bearer token, the authentication path routes it to whichever token-verifying mechanism is configured, such as validating a service account token's signature against keys known to the API server, or forwarding the token to an external identity provider for verification.
Service Account Tokens as an In-Cluster Special Case
Because service account tokens are issued and validated using material the API server itself controls, this particular path within the chain does not require any external network call, distinguishing it from paths that depend on reaching an external identity provider.
Failure at the End of the Path
No Success Means No Identity
If a request's credentials fail every authenticator in the configured chain, the authentication path concludes with no identity established at all, and the request is rejected immediately, never reaching the subsequent authorization stage.
Anonymous Requests as an Explicit, Separate Path
Some clusters are configured to treat entirely credential-less requests as an explicit anonymous identity rather than an authentication failure, a distinct path that must be deliberately enabled rather than being the default outcome of every unauthenticated request.