Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours on Instagram and YouTube and waste money on coffee and fast food, but won’t spend 30 minutes a day learning skills to boost our careers.
Master in DevOps, SRE, DevSecOps & MLOps!

Learn from Guru Rajesh Kumar and double your salary in just one year.


Get Started Now!

Kubernetes

Understanding Authentication & Authorization in kubernetes

July 29, 2021 comments off

Authentication – How User’s access should be allowed? The process or action of verifying the identity of a user or process.
Authorization – What Access and till what extent should be accessible to user

Official ref for Authentication

  • https://kubernetes.io/docs/reference/access-authn-authz/authentication/

Method of Authentication in kubernetes

  • Certificate
  • Token
  • OpenID
  • Web Hook

How Certificate Based Auth Works in kubernetes?

  • User (or administrator on behalf of user) creates a private key.
  • User/administrator generates a certificate signing request (CSR).
  • Administrator approves the request and signs it with their CA.
  • Administrator provides the resulting certificate back to the user.

How Token Based Auth Works in kubernetes?

How to create user in kubernetes?

# USER run these commands in Workstation
# Create a pvt key
$ openssl genrsa -out employee.key 2048

# Create CSR file
$ openssl req -new -key employee.key -out employee.csr -subj "/CN=employee/O=bitnami"

# How to send a CSR file to CA (Master Admin or K8s admin)
- Send via manual way eg. email
- csr api

# Admin run these commands in Workstation
$ openssl x509 -req -in employee.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out employee.crt -days 500

# Admin would send employee.crt to USER.
- Send via manual way eg. email 
- csr api - they can download self

# USER would set employee.key & employee.crt in CONFIG file.

$ kubectl config set-credentials employee --client-certificate=/root/employee.crt  --client-key=/root/employee.key

$ kubectl config view

$ kubectl config set-context employee-context --cluster=kubernetes --namespace=office --user=employee

$ kubectl config view

$ kubectl create namespace office

$ kubectl --context=employee-context get pods

[root@rajesh ~]# kubectl --context=employee-context get pods
Error from server (Forbidden): pods is forbidden: User "employee" cannot list resource "pods" in API group "" in the namespace "office"
# Only we have enabled employee authentication. He has no rights on K8s.

What are the Methods of Authorization in kubernetes?

  • Node
  • ABAC
  • RBAC [ FOCUS ]
  • Webhook

Official ref for Authorization

  • https://kubernetes.io/docs/reference/access-authn-authz/authorization/

How to Authorized user in kubernetes clustor?

WHOM – USER or GROUP
WHAT – verbs: [“get”, “list”, “watch”, “create”, “update”, “patch”, “delete”] # You can also use [“*”]
WHERE – API Resources or API Group $ kubectl api-resources
How???

  • Node
  • ABAC
  • RBAC [ FOCUS ]
  • Webhook

How RBAC works in kubernetes?

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs:

DevOps Certification, SRE Certification, and DevSecOps Certification by DevOpsSchool

Explore our DevOps Certification, SRE Certification, and DevSecOps Certification programs at DevOpsSchool. Gain the expertise needed to excel in your career with hands-on training and globally recognized certifications.