AuthN & AuthZ

kube-api

We can pass an auth file to kube-api server.

/usr/local/bin/kube-apiserver \
...
    --basic-auth-file=user-details.csv
    # or
    ---token-auth-file=tokens.csv # Bearer tokens

We can pass the file through volume mounts to kubeapi. Add the volume and command args.

/etc/kubernetes/manifests/kube-apiserver.yaml

Add bindings

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
 
---
# This role binding allows "jane" to read pods in the "default" namespace.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: user1 # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role #this must be Role or ClusterRole
  name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io

Authenticate against kube

# User Pwd
curl https://master-node:6443/api/v1/pods -u "user1:password123"

# Certs
curl https://my-kube:6443/api/v1/pods --key admin.key --cert admin.crt --cacert ca.crt

# Using kubectl
kubectl get pods --server my-kube:6443 --client-key admin.key --client-certificate admin.crt --certificate-authority ca.cert
# use --kubeconfig config to pass them $HOME/.kube/config

curl https://master-node:6443/version # api version
/api # core group
/apis # more organised, new endpoints go in here
/apis/apps/v1/deployments/list # (apis / api group / v1 / resources / verbs ...)
/logs
/healthz
/livez
/readiz
/version
/metrics

Kube Config

tip

The path can be overridable by also $KUBECONFIG

apiVersion: v1
kind: Config
current-context: my-kube-admin@my-kube-playground
clusters:
- name: my-kube-playground
  clusters: 
    certificate-authority: ca.crt # /etc/kubernetes/pki/ca.crt
    # certificate-authority-data: pass ca.crt's base64 
    server: https://my-kube:6443

contexts:
# connects users and clusters
- name: my-kube-admin@my-kube-playground
  context: 
    cluster: my-kube-playground
    user: my-kube-admin
    namespace: finance

users:
- name: my-kube-admin
  user: 
    client-certificate: admin.crt
    client-key: admin.key

kubectl proxy

Starts a local proxy to inject credentials to proxy to cluster.
Great for curl.

kubectl proxy 8001&
curl localhost:8081/apis[/...]

warning

kube proxy - nodes and pods networking between them - is different than kubectl proxy

Authorization modes

Node - Authorizes API requests made by kubelets, node to node.
ABAC (Attribute-Based Access Control) - Simple access control using attributes in JSON files
RBAC (Role-Based Access Control) - Regulates access based on roles assigned to users
Webhook - Delegates authorization decisions to an external HTTP(S) service
AlwaysAllow - Allows all requests (default if no mode is specified)
AlwaysDeny - Denies all requests (used for testing)

Multiple modes can be configured simultaneously, and authorization will be allowed if any mode approves the request.

Authorization mode is set on the kube-apiserver --authorization-mode=Node,RBAC,Webhook.... It is set to AlwaysAllow if not specified.

kube-api​

Add bindings​

Authenticate against kube​

Kube Config​

kubectl proxy​

Authorization modes​