![[Pasted image 20250130111146.png]] Kubernetes (k8s) authentication and authorization are two essential security mechanisms to control access to the cluster.

Authentication in Kubernetes verifies the identity of users or components trying to interact with the API server.

Kubernetes does not have a built-in user management system. Instead, it relies on external authentication mechanisms.

Authentication Methods in Kubernetes

  1. X.509 Client Certificates
    • Users authenticate using certificates issued by the Kubernetes certificate authority (CA).
    • Configured via kubeconfig file (kubectl config set-credentials ...).
  2. Static Token File
    • Predefined token file is passed to the API server at startup.
    • Deprecated and not recommended for production.
  3. Bootstrap Tokens
    • Temporary tokens used for bootstrapping new nodes.
  4. Service Account Tokens
    • Used by pods running inside the cluster to authenticate against the API server.
    • Tokens are auto-mounted inside pods at /var/run/secrets/kubernetes.io/serviceaccount/token.
  5. OpenID Connect (OIDC)
    • Integrates Kubernetes with external identity providers like Google, Okta, Keycloak for authentication.
  6. Webhook Token Authentication
    • A webhook validates credentials against an external authentication service.
  7. Authentication Proxy
    • Uses an external reverse proxy (e.g., NGINX, Istio, OAuth2-proxy) to handle authentication.

2. Authorization (What are you allowed to do?)

After authentication, Kubernetes checks whether the user has permission to perform the requested action.

Authorization Mechanisms in Kubernetes

  1. Role-Based Access Control (RBAC) (Most Common)

    • Uses Roles and RoleBindings (for a namespace) or ClusterRoles and ClusterRoleBindings (for cluster-wide access).
    • Example RBAC rule:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
  1. Attribute-Based Access Control (ABAC)
  • Uses policies stored in a JSON file.
  • Example:
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user": "dev-user", "namespace": "default", "resource": "pods", "readonly": true}}
  • Less commonly used compared to RBAC.

  1. Node Authorization

    • Nodes can only perform actions required for their assigned pods (e.g., reading secrets for a scheduled pod).

  2. Webhook Authorization

    • Sends authorization requests to an external service for validation.
© 2025 GeeksDirectory