Understanding Authentication & Authorization in kubernetes

Spread the Knowledge

Authentication – How User’s access should be allowed? The process or action of verifying the identity of a user or process.
Authorization – What Access and till what extent should be accessible to user

Official ref for Authentication

  • https://kubernetes.io/docs/reference/access-authn-authz/authentication/

Method of Authentication in kubernetes

  • Certificate
  • Token
  • OpenID
  • Web Hook

How Certificate Based Auth Works in kubernetes?

  • User (or administrator on behalf of user) creates a private key.
  • User/administrator generates a certificate signing request (CSR).
  • Administrator approves the request and signs it with their CA.
  • Administrator provides the resulting certificate back to the user.

How Token Based Auth Works in kubernetes?

How to create user in kubernetes?


# USER run these commands in Workstation
# Create a pvt key
$ openssl genrsa -out employee.key 2048

# Create CSR file
$ openssl req -new -key employee.key -out employee.csr -subj "/CN=employee/O=bitnami"

# How to send a CSR file to CA (Master Admin or K8s admin)
- Send via manual way eg. email
- csr api

# Admin run these commands in Workstation
$ openssl x509 -req -in employee.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out employee.crt -days 500

# Admin would send employee.crt to USER.
- Send via manual way eg. email 
- csr api - they can download self

# USER would set employee.key & employee.crt in CONFIG file.

$ kubectl config set-credentials employee --client-certificate=/root/employee.crt  --client-key=/root/employee.key

$ kubectl config view

$ kubectl config set-context employee-context --cluster=kubernetes --namespace=office --user=employee

$ kubectl config view

$ kubectl create namespace office

$ kubectl --context=employee-context get pods

[root@rajesh ~]# kubectl --context=employee-context get pods
Error from server (Forbidden): pods is forbidden: User "employee" cannot list resource "pods" in API group "" in the namespace "office"
# Only we have enabled employee authentication. He has no rights on K8s.

What are the Methods of Authorization in kubernetes?

  • Node
  • ABAC
  • RBAC [ FOCUS ]
  • Webhook

Official ref for Authorization

  • https://kubernetes.io/docs/reference/access-authn-authz/authorization/

How to Authorized user in kubernetes clustor?

WHOM – USER or GROUP
WHAT – verbs: [“get”, “list”, “watch”, “create”, “update”, “patch”, “delete”] # You can also use [“*”]
WHERE – API Resources or API Group $ kubectl api-resources
How???

  • Node
  • ABAC
  • RBAC [ FOCUS ]
  • Webhook

How RBAC works in kubernetes?

Rajesh Kumar
Latest posts by Rajesh Kumar (see all)