Kubernetes - Role based access control [Part 11]

 

Every request to Kubernetes is first authenticated, Authentication provides the identity of the caller issuing the request.  It could integrate deeply with pluggable authentication provide like Azure Active Directory to establish an identity within third party system.

Once user have been authenticated, the authorization phase determines whether they are authorized to perform the request. Authorization is a combination of identify the user and the resource and verb or action that user is trying to perform it.

Kubernetes makes distinction between user identity and service account identity. The service account identity is managed by K8S inside the cluster where as user identity is a normal user who is try to access the resource from outside of the K8S.

Kubernetes is supporting number of different authentication providers such as:

* HTTP based authentication provider 
* Static token file on the host
* Cloud authentication provider such as AWS Identity and access management & Azure active Directory
* Authentication Webhooks.

Kubernetes there are 2 pairs of role and role binding.

• The first one  is applied in the name space level
• The second one is applied through cluster level

The Yaml configuration file for the role binding:

kind: Role

apiVersion: rbac.authorization.k8s.io/v1

metadata:

  namespace: default

  name: pod-and-services

rules:

- apiGroups: [""]

  resources: ["pods", "services"]

  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]