=  k8s/StudyNotes/ k8s-certs-security =
 
 * kubect uses $HOME/.kube/config for cert auth
   * config info {{{Clusters: }}} -> {{{ Contexts: (Namespace)}}} <- {{{ Users: }}}
     * kubectl config view
     * kubectl config use-context prod-user@production

 * kube-apiserver at the center
   * Who can access ?  Authentication methods
     * --(Static PWD, CSV  password123,user1,u0001,group1 {{{ kube-apiserver --basic-auth-file=user-details.csv }}} )--
        * Auth with {{{ curl -v -k https://master-node-ip:6443/api/v1/pods -u "user1:password123" }}}
     * Static Token, {{{ kube-apiserver --token-auth-file=user-details.csv }}}
        * Auth with {{{ curl -v -k https://master-node-ip:6443/api/v1/pods --header "Authorization: Bearer KpjCViY" }}}
     * Cert
     * SSO
   * What can they do ? RBAC Auth , ABAC, Node, Webhook
   * All components to kube-apiserver TLS authenticated.

 * k8s relies on external user administration, but it does ServiceAccounts for integration/bots

 * View certificates {{{ openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text }}}


 * k8s has Certificates API
   * User gen cert {{{$ openssl genrsa -out jane.key 2048 }}} then csr {{{$ openssl req -new -key jane.key -subj "/CN=jane" -out jane.csr }}}
   * Admin receives csr and creates k8s obj 
   * kubectl get csr jane.csr.yaml {{{
       apiVersion: certificate.k82.io/v1beta1
       kind: CertificteSigningRequest
       metadata:
         name: jane
       spec:
         groups:
         - system:authenticated
         usages:
         - digital signature
         - key encipherment
         - server auth
         request:
            LS0dkjfjs<the base64 encode csr>pbnj
            NnhjosblablablablabnJ
     }}}
   * Add cert object to k8s {{{$ kubectl apply -f jane.csr.yaml }}}
     * view with {{{ kubectl get csr }}}
   * kubectl certificate approve jane
     * {{{ kubectl certificates approve jane }}}
     * {{{ kubectl get csr jane -o yaml }}} then base64 -d the cert.