{"id":22898,"date":"2021-07-29T06:24:21","date_gmt":"2021-07-29T06:24:21","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=22898"},"modified":"2025-01-23T12:45:26","modified_gmt":"2025-01-23T12:45:26","slug":"understanding-authentication-authorization-in-kubernetes","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/understanding-authentication-authorization-in-kubernetes\/","title":{"rendered":"Understanding Authentication &#038; Authorization in kubernetes"},"content":{"rendered":"\n<p><strong>Authentication <\/strong>&#8211; How User&#8217;s access should be allowed? The process or action of verifying the identity of a user or process.<br><strong>Authorization<\/strong> &#8211; What Access and till what extent should be accessible to user<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Official ref for Authentication<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/authentication\/<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Method of Authentication in kubernetes<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Certificate<\/li><li>Token<\/li><li>OpenID<\/li><li>Web Hook<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/Authentication-Authorization-kubernetes-tutorials-2.png\"><img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"360\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/Authentication-Authorization-kubernetes-tutorials-2.png\" alt=\"\" class=\"wp-image-22901\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/Authentication-Authorization-kubernetes-tutorials-2.png 640w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/Authentication-Authorization-kubernetes-tutorials-2-300x169.png 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/Authentication-Authorization-kubernetes-tutorials-2-355x199.png 355w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">How Certificate Based Auth Works in kubernetes?<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>User (or administrator on behalf of user) creates a private key.<\/li><li>User\/administrator generates a certificate signing request (CSR).<\/li><li>Administrator approves the request and signs it with their CA.<\/li><li>Administrator provides the resulting certificate back to the user.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/Authentication-Authorization-kubernetes-tutorials-1.png\"><img loading=\"lazy\" decoding=\"async\" width=\"681\" height=\"651\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/Authentication-Authorization-kubernetes-tutorials-1.png\" alt=\"\" class=\"wp-image-22899\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/Authentication-Authorization-kubernetes-tutorials-1.png 681w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/Authentication-Authorization-kubernetes-tutorials-1-300x287.png 300w\" sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/a><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/Authentication-Authorization-kubernetes-tutorials-3.png\"><img loading=\"lazy\" decoding=\"async\" width=\"468\" height=\"222\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/Authentication-Authorization-kubernetes-tutorials-3.png\" alt=\"\" class=\"wp-image-22900\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/Authentication-Authorization-kubernetes-tutorials-3.png 468w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/Authentication-Authorization-kubernetes-tutorials-3-300x142.png 300w\" sizes=\"auto, (max-width: 468px) 100vw, 468px\" \/><\/a><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">How Token Based Auth Works in kubernetes?<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"419\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/Authentication-Authorization-kubernetes-tutorials-5.jpg\" alt=\"\" class=\"wp-image-22902\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/Authentication-Authorization-kubernetes-tutorials-5.jpg 800w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/Authentication-Authorization-kubernetes-tutorials-5-300x157.jpg 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/Authentication-Authorization-kubernetes-tutorials-5-768x402.jpg 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">How to create user in kubernetes?<\/h2>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\"># USER run these commands in Workstation\n# Create a pvt key\n$ openssl genrsa -out employee.key 2048\n\n# Create CSR file\n$ openssl req -new -key employee.key -out employee.csr -subj \"\/CN=employee\/O=bitnami\"\n\n# How to send a CSR file to CA (Master Admin or K8s admin)\n- Send via manual way eg. email\n- csr api\n\n# Admin run these commands in Workstation\n$ openssl x509 -req -in employee.csr -CA \/etc\/kubernetes\/pki\/ca.crt -CAkey \/etc\/kubernetes\/pki\/ca.key -CAcreateserial -out employee.crt -days 500\n\n# Admin would send employee.crt to USER.\n- Send via manual way eg. email \n- csr api - they can download self\n\n# USER would set employee.key &amp; employee.crt in CONFIG file.\n\n$ kubectl config set-credentials employee --client-certificate=\/root\/employee.crt  --client-key=\/root\/employee.key\n\n$ kubectl config view\n\n$ kubectl config set-context employee-context --cluster=kubernetes --namespace=office --user=employee\n\n$ kubectl config view\n\n$ kubectl create namespace office\n\n$ kubectl --context=employee-context get pods\n\n&#91;root@rajesh ~]# kubectl --context=employee-context get pods\nError from server (Forbidden): pods is forbidden: User \"employee\" cannot list resource \"pods\" in API group \"\" in the namespace \"office\"\n# Only we have enabled employee authentication. He has no rights on K8s.<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">What are the Methods of Authorization in kubernetes?<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Node<\/li><li>ABAC<\/li><li>RBAC [ FOCUS ]<\/li><li>Webhook<\/li><\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">Official ref for Authorization<\/h1>\n\n\n\n<ul class=\"wp-block-list\"><li>https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/authorization\/<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">How to Authorized user in kubernetes clustor?<\/h2>\n\n\n\n<p>WHOM &#8211; USER or GROUP<br>WHAT &#8211; verbs: [&#8220;get&#8221;, &#8220;list&#8221;, &#8220;watch&#8221;, &#8220;create&#8221;, &#8220;update&#8221;, &#8220;patch&#8221;, &#8220;delete&#8221;] # You can also use [&#8220;*&#8221;]<br>WHERE &#8211; API Resources or API Group $ kubectl api-resources<br>How???<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Node<\/li><li>ABAC<\/li><li>RBAC [ FOCUS ]<\/li><li>Webhook<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">How RBAC works in kubernetes?<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-1.png\"><img loading=\"lazy\" decoding=\"async\" width=\"569\" height=\"306\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-1.png\" alt=\"\" class=\"wp-image-22903\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-1.png 569w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-1-300x161.png 300w\" sizes=\"auto, (max-width: 569px) 100vw, 569px\" \/><\/a><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-2.png\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"271\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-2.png\" alt=\"\" class=\"wp-image-22904\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-2.png 624w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-2-300x130.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/a><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"700\" height=\"497\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-3.png\" alt=\"\" class=\"wp-image-22905\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-3.png 700w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-3-300x213.png 300w\" sizes=\"auto, (max-width: 700px) 100vw, 700px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"474\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-4-1024x474.png\" alt=\"\" class=\"wp-image-22906\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-4-1024x474.png 1024w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-4-300x139.png 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-4-768x356.png 768w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-4-1536x711.png 1536w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-4.png 1589w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-5.png\"><img loading=\"lazy\" decoding=\"async\" width=\"729\" height=\"517\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-5.png\" alt=\"\" class=\"wp-image-22907\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-5.png 729w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-5-300x213.png 300w\" sizes=\"auto, (max-width: 729px) 100vw, 729px\" \/><\/a><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-6.png\"><img loading=\"lazy\" decoding=\"async\" width=\"891\" height=\"561\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-6.png\" alt=\"\" class=\"wp-image-22908\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-6.png 891w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-6-300x189.png 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/07\/rbac-authorization-kubernetes-tutorials-6-768x484.png 768w\" sizes=\"auto, (max-width: 891px) 100vw, 891px\" \/><\/a><\/figure>\n\n\n\n<script src=\"https:\/\/gist.github.com\/devops-school\/6d03d1d1f2ff5de5f82a419e6a443fb8.js\"><\/script>\n\n\n<div class=\"epyt-gallery\" data-currpage=\"1\" id=\"epyt_gallery_51102\"><iframe loading=\"lazy\"  id=\"_ytid_86194\"  width=\"760\" height=\"427\"  data-origwidth=\"760\" data-origheight=\"427\" src=\"https:\/\/www.youtube.com\/embed\/?enablejsapi=1&#038;autoplay=0&#038;cc_load_policy=0&#038;cc_lang_pref=&#038;iv_load_policy=1&#038;loop=0&#038;rel=1&#038;fs=1&#038;playsinline=0&#038;autohide=2&#038;theme=dark&#038;color=red&#038;controls=1&#038;disablekb=0&#038;\" class=\"__youtube_prefs__  no-lazyload\" title=\"YouTube player\"  data-epytgalleryid=\"epyt_gallery_51102\"  allow=\"fullscreen; accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen data-no-lazy=\"1\" data-skipgform_ajax_framebjll=\"\"><\/iframe><div class=\"epyt-gallery-list\"><div>Sorry, there was a YouTube error.<\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>Authentication &#8211; How User&#8217;s access should be allowed? The process or action of verifying the identity of a user or process.Authorization &#8211; What Access and till what extent should be&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[4859],"tags":[],"class_list":["post-22898","post","type-post","status-publish","format-standard","hentry","category-kubernetes"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/22898","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=22898"}],"version-history":[{"count":3,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/22898\/revisions"}],"predecessor-version":[{"id":24236,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/22898\/revisions\/24236"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=22898"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=22898"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=22898"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}