Download as PDF, PPTX
![Role Based Access Control (RBAC) - Roles
Role
“Applicable to a given namespace
only.”
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: cloudyuga
name: deployment-manager
rules:
- apiGroups: ["", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update"]
ClusterRole
“Applicable Cluster Wide.”
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: deployment-manager-cluster
rules:
- apiGroups: ["", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update"]](https://image.slidesharecdn.com/userauthenticationandauthorizarionink8s-181109095335/85/User-authentication-and-authorizarion-in-Kubernetes-17-320.jpg)
![Role Based Access Control (RBAC) - Roles
Role
“Applicable to a given namespace
only.”
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: cloudyuga
name: deployment-manager
rules:
- apiGroups: ["", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update"]
ClusterRole
“Applicable Cluster Wide.”
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: deployment-manager-cluster
rules:
- apiGroups: ["", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update"]](https://image.slidesharecdn.com/userauthenticationandauthorizarionink8s-181109095335/75/User-authentication-and-authorizarion-in-Kubernetes-17-2048.jpg)
Uploaded byNeependra Khare
User authentication and authorizarion in Kubernetes
This document discusses user authentication and authorization in Kubernetes. It describes how Kubernetes uses external services like Active Directory and LDAP for user authentication. It also explains the different types of users in Kubernetes including normal users, service accounts, and how kubeconfig files are used. The main authorization mechanism in Kubernetes is Role-Based Access Control (RBAC) which uses roles and role bindings to control access to Kubernetes API resources and operations.
More Related Content
Similar to User authentication and authorizarion in Kubernetes
![SmartFTP Enterprise 10.0.3277 Crack + License Key [2025]](https://cdn.slidesharecdn.com/ss_thumbnails/cloudnativeaachen-aug212025-250825083203-eef48411-250827084523-d3549a26-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
![UiPath Automation Suite Installation (Hands-On) [2/3]](https://cdn.slidesharecdn.com/ss_thumbnails/automationsuitecommunitysession2-251015095633-a6d862f1-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
User authentication and authorizarion in Kubernetes
- 1. K8sOM#15 User Authentication andAuthorization in Kubernetes Neependra Khare, CloudYuga
- 2. About the Speaker- Neependra Khare ● Founder and Principal Consultant at CloudYuga ● Author of Docker Cookbook - 2015 ● Author of “Introduction to Kubernetes” course on Edx ● Running Docker Meetup Group in Bangalore, India for more than 4 years now
- 3. Kubernetes Architecture Controller Scheduler API Server key/value store MasterNode Node Kubelet kube-proxy Node Kubelet kube-proxy Node Kubelet kube-proxy CLI/API
- 4. Kubernetes API Request Authenticaion Cana user to login to the cluster ? Authorization Can a user do requested action ? Admission Control Is it a valid request ? K8s objects
- 5.
- 6. Kubernetes Users ● Usersare not first class citizen of Kubernetes, like Pods ● In most of the cases, it is offloaded to external services like Active Directory, LDAP
- 7. Kubernetes Users ● Usersare not first class citizen like Pods ● In most of the cases, it is offloaded to external services like Active Directory, LDAP Normal Users Service Accounts
- 8. Normal Users ● BasicAuthentication ○ Pass a configutation with content like following to API Server <password>,<username>,<uid>,"<group1,group2>" <password>,<username>,<uid>,"<group1,group3>” ● X.509 Client Certificate ○ Create a user’s Public/Private key combination ○ Get it certified by a CA (Kubernetes CA) ● Bearer Tokens (JSON Web Tokens) ○ OpenID Connect ■ On Top of OAuth 2.0 ○ Webhooks
- 9. Service Account ● Thinkof it as a user, using which a process inside a Pod can access API Server. ● A Service Account with default name, gets created as we create a new namesapce. ● User defined Service Accounts can be created as well, which we can attach to the pod running in same namespace.
- 10. Kubeconfig File apiVersion: v1 clusters: -cluster: certificate-authority: /Users/neependra/.minikube/ca.crt server: https://192.168.99.100:8443 name: minikube contexts: - context: cluster: minikube user: minikube name: minikube current-context: minikube kind: Config preferences: {} users: - name: minikube user: client-certificate: /Users/neependra/.minikube/client.crt client-key: /Users/neependra/.minikube/client.key User dev Cluster devContext dev User qa Cluster qaContext qa User prod Cluster prodContext prod
- 11. Authentication Demo Workflow nkhare.key (openssl) nkhare.csr (openssl) nkhare-csr (k8sobject) nkhare.crt K8s CA
- 12.
- 13.
- 14. Kubernetes Authorization Can aUser do Requested Action ?
- 15. Kubernetes Authorization Can aUser do Requested Action ? ● Kubernetes Autorization Modules ○ AlwaysAllow ○ AlwaysDeny ○ Node ○ Attribute Based Access Control (ABAC) ○ Role Based Access Control (RBAC) ○ Webhook
- 16. Operations on KubernetesObjects ● create ● get ● delete ● list ● update ● edit ● patch ● watch ● ….
- 17. Role Based AccessControl (RBAC) - Roles Role “Applicable to a given namespace only.” kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: cloudyuga name: deployment-manager rules: - apiGroups: ["", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update"] ClusterRole “Applicable Cluster Wide.” kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deployment-manager-cluster rules: - apiGroups: ["", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update"]
- 18. Kubernetes - APIs / /healthz/metrics /api /apis ….. /api/v1 /api/v1/pods /api/v1/nodes /api/v1/services …… /apis/apps /apis/apps/v1 /apis/apps/v1/Deployment /apis/apps/v1/DaemonSet /apis/apps/v1/StatefulSet ……. /apis/apps/v1beta1 /apis/…..
- 19. Role Based AccessControl (RBAC) - Role Bindings RoleBinding “Applicable to a given namespace only.” ClusterRoleBinding “Applicable Cluster Wide.” Role Subjects - Normal Users - Service Accounts - Groups ClusterRole Subjects - Normal Users - Service Accounts - Groups
- 20. Role Based AccessControl (RBAC) - Role Bindings RoleBinding kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deployment-manager-binding namespace: cloudyuga subjects: - kind: User name: nkhare apiGroup: "rbac.authorization.k8s.io" roleRef: kind: Role name: deployment-manager apiGroup: "rbac.authorization.k8s.io" ClusterRoleBinding kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cluster-manager-binding subjects: - kind: User name: nkhare apiGroup: "rbac.authorization.k8s.io" roleRef: kind: ClusterRole name: deployment-manager-cluster apiGroup: "rbac.authorization.k8s.io"
- 21.
- 22.