# API server authentication

Kuma exposes API server on ports 5681 and 5682 (protected by TLS).

An authenticated user can be authorized to execute administrative actions such as

  • Managing administrative resources like Kuma Secrets on Universal
  • Generating user token, data plane proxy token, zone ingress token, zone token

# User token

A user token is a signed JWT token that contains

  • The name of the user
  • The list of groups that a user belongs to
  • Expiration date of the token

# Groups

A user can be a part of many groups. Kuma adds two groups to a user automatically:

  • authenticated users are a part of mesh-system:authenticated.
  • unauthenticated users are part of mesh-system:unauthenticated.

# Admin user token

Kuma creates an admin user token on the first start of the control plane. The admin user token is a user token issued for user mesh-system:admin that belongs to mesh-system:admin group. This group is authorized by default to execute all administrative operations.

    # Generate user tokens

    You can generate user tokens only when you provide the credentials of a user authorized to generate user tokens. kumactl configured with admin user token extracted in the preceding section is authorized to do it.

    kumactl generate user-token \
      --name john \
      --group team-a \
      --valid-for 24h
    
    1
    2
    3
    4

    or you can use API

    curl localhost:5681/tokens/user \
      -H'authentication: Bearer eyJhbGc...' \
      -H'content-type: application/json' \
      --data '{"name": "john","groups": ["team-a"], "validFor": "24h"}' 
    
    1
    2
    3
    4

    # Explore an example token

    You can decode the tokens to validate the signature or explore details.

    For example, run:

    kumactl generate user-token \
      --name john \
      --group team-a \
      --valid-for 24h
    
    1
    2
    3
    4

    which returns:

    eyJhbGciOiJSUzI1NiIsImtpZCI6IjEiLCJ0eXAiOiJKV1QifQ.eyJOYW1lIjoiam9obiIsIkdyb3VwcyI6WyJ0ZWFtLWEiXSwiZXhwIjoxNjM2ODExNjc0LCJuYmYiOjE2MzY3MjQ5NzQsImlhdCI6MTYzNjcyNTI3NCwianRpIjoiYmYzZDBiMmUtZDg0MC00Y2I2LWJmN2MtYjkwZjU0MzkxNDY4In0.XsaPcQ5wVzRLs4o1FWywf6kw4r2ceyLGxYO8EbyA0fAxU6BPPRsW71ueD8ZlS4JlD4UrVtQQ7LG-z_nIxlDRAYhx4mmHnSjtqWZIsVS13QRrm41zccZ0SKHYxGvWMW4IkGwUbA0UZOJGno8vbpI6jTGfY9bmof5FpJJAj_sf99jCaI1H_n3n5UxtwKVN7dXXD82r6axj700jgQD-2O8gnejzlTjZkBpPF_lGnlBbd39S34VNwT0UlvRJLmCRdfh5EL24dFt0tyzQqDG2gE1RuGvTV9LOT77ZsjfMP9CITICivF6Z7uqvlOYal10jd5gN0A6w6KSI8CCaDLmVgUHvAw
    
    1

    Paste the token into the UI at jwt.io (opens new window), or use jwt-cli (opens new window) tool

    kumactl generate user-token --name=john --group=team-a --valid-for=24h | jwt
    
    To verify on jwt.io:
    
    https://jwt.io/#id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjEiLCJ0eXAiOiJKV1QifQ.eyJOYW1lIjoiam9obiIsIkdyb3VwcyI6WyJ0ZWFtLWEiXSwiZXhwIjoxNjM2ODExNjc0LCJuYmYiOjE2MzY3MjQ5NzQsImlhdCI6MTYzNjcyNTI3NCwianRpIjoiYmYzZDBiMmUtZDg0MC00Y2I2LWJmN2MtYjkwZjU0MzkxNDY4In0.XsaPcQ5wVzRLs4o1FWywf6kw4r2ceyLGxYO8EbyA0fAxU6BPPRsW71ueD8ZlS4JlD4UrVtQQ7LG-z_nIxlDRAYhx4mmHnSjtqWZIsVS13QRrm41zccZ0SKHYxGvWMW4IkGwUbA0UZOJGno8vbpI6jTGfY9bmof5FpJJAj_sf99jCaI1H_n3n5UxtwKVN7dXXD82r6axj700jgQD-2O8gnejzlTjZkBpPF_lGnlBbd39S34VNwT0UlvRJLmCRdfh5EL24dFt0tyzQqDG2gE1RuGvTV9LOT77ZsjfMP9CITICivF6Z7uqvlOYal10jd5gN0A6w6KSI8CCaDLmVgUHvAw
    
    ✻ Header
    {
      "alg": "RS256",
      "kid": "1",
      "typ": "JWT"
    }
    
    ✻ Payload
    {
      "Name": "john",
      "Groups": [
        "team-a"
      ],
      "exp": 1636811674,
      "nbf": 1636724974,
      "iat": 1636725274,
      "jti": "bf3d0b2e-d840-4cb6-bf7c-b90f54391468"
    }
       Issued At: 1636725274 11/12/2021, 2:54:34 PM
       Not Before: 1636724974 11/12/2021, 2:49:34 PM
       Expiration Time: 1636811674 11/13/2021, 2:54:34 PM
    
    ✻ Signature XsaPcQ5wVzRLs4o1FWywf6kw4r2ceyLGxYO8EbyA0fAxU6BPPRsW71ueD8ZlS4JlD4UrVtQQ7LG-z_nIxlDRAYhx4mmHnSjtqWZIsVS13QRrm41zccZ0SKHYxGvWMW4IkGwUbA0UZOJGno8vbpI6jTGfY9bmof5FpJJAj_sf99jCaI1H_n3n5UxtwKVN7dXXD82r6axj700jgQD-2O8gnejzlTjZkBpPF_lGnlBbd39S34VNwT0UlvRJLmCRdfh5EL24dFt0tyzQqDG2gE1RuGvTV9LOT77ZsjfMP9CITICivF6Z7uqvlOYal10jd5gN0A6w6KSI8CCaDLmVgUHvAw
    
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29

    # Token revocation

    Kuma doesn't keep the list of issued tokens. To invalidate the token, you can add it to a revocation list. Every user token has its own ID. As you saw in the previous section, it's available in payload under jti key. To revoke tokens, specify list of revoked IDs separated by , and store it as GlobalSecret named user-token-revocations

      # Signing key

      A user token is signed by a signing key that's autogenerated on the first start of the control plane. The signing key is a 2048-bit RSA key stored as a GlobalSecret with a name that looks like user-token-signing-key-{serialNumber}.

      # Signing key rotation

      If the signing key is compromised, you must rotate it including all the tokens that were signed by it.

      1. Generate a new signing key

        Make sure to generate the new signing key with a serial number greater than the serial number of the current signing key.

        • Regenerate user tokens

          Create new user tokens. Tokens are always signed by the signing key with the highest serial number. Starting from now, tokens signed by either new or old signing key are valid.

        • Remove the old signing key

            All new requests to the control plane now require tokens signed with the new signing key.

          # Disabling bootstrap of the admin user token

          You can remove the default admin user token from the storage and prevent it from being recreated. Keep in mind that even if you remove the admin user token, the signing key is still present. A malicious actor that acquires the signing key, can generate an admin token.

            # Admin client certificates

            This section describes the alternative way of authenticating to API Server.

            Admin client certificates are deprecated. If you are using it, please migrate to the user token in preceding section.

            To use admin client certificates, set KUMA_API_SERVER_AUTHN_TYPE to adminClientCerts.

            All users that provide client certificate are authenticated as a user with the name mesh-system:admin that belongs to group mesh-system:admin.

            # Usage

            1. Generate client certificates by using kumactl

              kumactl generate tls-certificate --type=client \
                --cert-file=/tmp/tls.crt \
                --key-file=/tmp/tls.key
              
              1
              2
              3
            2. Configure the control plane with client certificates

              • Configure kumactl with valid client certificate

                kumactl config control-planes add \
                  --name=<NAME>
                  --address=https://<KUMA_CP_DNS_NAME>:5682 \
                  --client-cert-file=/tmp/tls.crt \
                  --client-key-file=/tmp/tls.key \
                  --ca-cert-file=/tmp/ca.crt
                
                1
                2
                3
                4
                5
                6

                If you want to skip CP verification, use --skip-verify instead of --ca-cert-file.

              # Multizone

              In a multizone setup, users execute a majority of actions on the global control plane. However, some actions like generating dataplane tokens are available on the zone control plane. The global control plane doesn't propagate authentication credentials to the zone control plane. You can set up consistent user tokens across the whole setup by manually copying signing key from global to zone control planes.

              Last Updated: 8/22/2022, 3:23:49 PM