• Actualités techniques
• Blockchain
• Business model and startup mistakes
• Devoxx
• Docker and Kubernetes
  • Docker
  • Kubernetes Admin
  • Kubernetes Core
    • Accessing a Kubernetes cluster
    • Acronyms
    • Architecture
    • Configuration
    • Installation
    • Linux Foundation
    • Object types
    • Security and monitoring
      • 1. Authentication
      • 2. Authorization
      • 3. Admission Control
      • Limit and Quota Management
      • Liveness and Readiness Probes
      • Monitoring, Logging, Troubleshooting
      • Network Policies
      • Pod Security Policies
      • Security Context
    • Volumes
  • Kubernetes Ecosystem
• GIT
• GitHub
• Jenkins
• Languages
• Legal aspects
• Management et RH
• Organisation
• Privacy
• RDF
• Reactive and microservices
• Security
• Software Engineering
• Spring
• SQL and NoSQL
• UML
• Web Design

2. Authorization

Role-Based Access Control (RBAC)

Using RBAC Authorization

Kinds of roles

• Role With Role, we can grant access to resources within a specific Namespace.
• ClusterRole The ClusterRole can be used to grant the same permissions as Role does, but its scope is cluster-wide.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: lfs158
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

As you can see, it creates a pod-reader role, which has access only to read the Pods of lfs158 Namespace. Once the role is created, we can bind users with RoleBinding.

Role binding

kubectl create clusterrolebinding my-cluster-role --clusterrole=cluster-admin --serviceaccount=kube-system:foo

RoleBinding: It allows us to bind users to the same namespace as a Role. We could also refer a ClusterRole in RoleBinding, which would grant permissions to Namespace resources defined in the ClusterRole within the RoleBinding’s Namespace.
ClusterRoleBinding: It allows us to grant access to resources at a cluster-level and to all Namespaces.

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pod-read-access
  namespace: lfs158
subjects:
- kind: ServiceAccount
  name: student
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

To enable the RBAC authorizer, we would need to start the API server with the --authorization-mode=RBAC option. With the RBAC authorizer, we dynamically configure policies. For more details, please review the Kubernetes documentation.

Attribute-Based Access Control (ABAC) Authorizer

Using ABAC Authorization

{
  "apiVersion": "abac.authorization.kubernetes.io/v1beta1",
  "kind": "Policy",
  "spec": {
    "user": "student",
    "namespace": "lfs158",
    "resource": "pods",
    "readonly": true
  }
}

To enable the ABAC authorizer, we would need to start the API server with the --authorization-mode=ABAC option. We would also need to specify the authorization policy with --authorization-policy-file=PolicyFile.json.

Node Authorizer

Node authorization is a special-purpose authorization mode which specifically authorizes API requests made by kubelets. It authorizes the kubelet's read operations for services, endpoints, nodes, etc., and writes operations for nodes, pods, events, etc. For more details, please review the Kubernetes documentation.

Webhook Authorizer

Kubernetes documentation.

Proudly Powered by Zim 0.75.2.

Template by Etienne Gandrille, based on ZeroFiveEight and using JQuery Toc Plugin.