Authentication – How User’s access should be allowed? The process or action of verifying the identity of a user or process.
Authorization – What Access and till what extent should be accessible to user
Official ref for Authentication
Method of Authentication in kubernetes
- Web Hook
How Certificate Based Auth Works in kubernetes?
- User (or administrator on behalf of user) creates a private key.
- User/administrator generates a certificate signing request (CSR).
- Administrator approves the request and signs it with their CA.
- Administrator provides the resulting certificate back to the user.
How Token Based Auth Works in kubernetes?
How to create user in kubernetes?
# USER run these commands in Workstation # Create a pvt key $ openssl genrsa -out employee.key 2048 # Create CSR file $ openssl req -new -key employee.key -out employee.csr -subj "/CN=employee/O=bitnami" # How to send a CSR file to CA (Master Admin or K8s admin) - Send via manual way eg. email - csr api # Admin run these commands in Workstation $ openssl x509 -req -in employee.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out employee.crt -days 500 # Admin would send employee.crt to USER. - Send via manual way eg. email - csr api - they can download self # USER would set employee.key & employee.crt in CONFIG file. $ kubectl config set-credentials employee --client-certificate=/root/employee.crt --client-key=/root/employee.key $ kubectl config view $ kubectl config set-context employee-context --cluster=kubernetes --namespace=office --user=employee $ kubectl config view $ kubectl create namespace office $ kubectl --context=employee-context get pods [root@rajesh ~]# kubectl --context=employee-context get pods Error from server (Forbidden): pods is forbidden: User "employee" cannot list resource "pods" in API group "" in the namespace "office" # Only we have enabled employee authentication. He has no rights on K8s.
What are the Methods of Authorization in kubernetes?
- RBAC [ FOCUS ]
Official ref for Authorization
How to Authorized user in kubernetes clustor?
WHOM – USER or GROUP
WHAT – verbs: [“get”, “list”, “watch”, “create”, “update”, “patch”, “delete”] # You can also use [“*”]
WHERE – API Resources or API Group $ kubectl api-resources
- RBAC [ FOCUS ]