2. About the Speaker - Neependra Khare
● Founder and Principal Consultant at CloudYuga
● Author of Docker Cookbook - 2015
● Author of “Introduction to Kubernetes” course on Edx
● Running Docker Meetup Group in Bangalore, India
for more than 4 years now
4. Kubernetes API Request
Authenticaion
Can a user to login
to the cluster ?
Authorization
Can a user do
requested action ?
Admission
Control
Is it a valid request ?
K8s
objects
6. Kubernetes Users
● Users are not first class citizen of Kubernetes, like Pods
● In most of the cases, it is offloaded to external services like Active
Directory, LDAP
7. Kubernetes Users
● Users are not first class citizen like Pods
● In most of the cases, it is offloaded to external services like Active
Directory, LDAP
Normal Users Service Accounts
8. Normal Users
● Basic Authentication
○ Pass a configutation with content like following to API Server
<password>,<username>,<uid>,"<group1,group2>"
<password>,<username>,<uid>,"<group1,group3>”
● X.509 Client Certificate
○ Create a user’s Public/Private key combination
○ Get it certified by a CA (Kubernetes CA)
● Bearer Tokens (JSON Web Tokens)
○ OpenID Connect
■ On Top of OAuth 2.0
○ Webhooks
9. Service Account
● Think of it as a user, using which a process inside a Pod can access
API Server.
● A Service Account with default name, gets created as we create a
new namesapce.
● User defined Service Accounts can be created as well, which we can
attach to the pod running in same namespace.
15. Kubernetes Authorization
Can a User do Requested Action ?
● Kubernetes Autorization Modules
○ AlwaysAllow
○ AlwaysDeny
○ Node
○ Attribute Based Access Control (ABAC)
○ Role Based Access Control (RBAC)
○ Webhook
16. Operations on Kubernetes Objects
● create
● get
● delete
● list
● update
● edit
● patch
● watch
● ….
17. Role Based Access Control (RBAC) - Roles
Role
“Applicable to a given namespace
only.”
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: cloudyuga
name: deployment-manager
rules:
- apiGroups: ["", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update"]
ClusterRole
“Applicable Cluster Wide.”
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: deployment-manager-cluster
rules:
- apiGroups: ["", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update"]
19. Role Based Access Control (RBAC) - Role Bindings
RoleBinding
“Applicable to a given namespace
only.”
ClusterRoleBinding
“Applicable Cluster Wide.”
Role
Subjects
- Normal Users
- Service Accounts
- Groups
ClusterRole
Subjects
- Normal Users
- Service Accounts
- Groups
20. Role Based Access Control (RBAC) - Role Bindings
RoleBinding
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: deployment-manager-binding
namespace: cloudyuga
subjects:
- kind: User
name: nkhare
apiGroup: "rbac.authorization.k8s.io"
roleRef:
kind: Role
name: deployment-manager
apiGroup: "rbac.authorization.k8s.io"
ClusterRoleBinding
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-manager-binding
subjects:
- kind: User
name: nkhare
apiGroup: "rbac.authorization.k8s.io"
roleRef:
kind: ClusterRole
name: deployment-manager-cluster
apiGroup: "rbac.authorization.k8s.io"