lectures.alex.balgavy.eu

Lecture notes from university.
git clone git://git.alex.balgavy.eu/lectures.alex.balgavy.eu.git
Log | Files | Refs | Submodules

controlling-access-to-kubernetes-api.md (2557B)

      1 +++
      2 title = 'Controlling access to Kubernetes API'
      3 +++
      4 # Controlling access to Kubernetes API
      5 Access to Kubernetes resources goes through 3 phases: authentication, authorization, admission control.
      6 
      7 Authentication: confirming identity of users
      8 - service account
      9   - namespaced, created directly in Kubernetes, used by processes inside pods
     10   - every namespace has its own "default" service account
     11   - you can grant specific permissions to service accounts using a Role
     12   - you can create a new service account using a YAML file; a new Secret (token) will be created automatically:
     13 
     14     ```yaml
     15     apiVersion :v1
     16     kind: ServiceAccount
     17     metadata:
     18       name: my-service-account
     19     ```
     20   - use a service account in a pod by specifying its name in `spec.serviceAccount`
     21 - normal user
     22   - global to cluster, may come form corporate database, used by human
     23   - no Kubernetes API for creating User objects
     24 
     25 Authorization:
     26 - Role Based Access Control (RBAC): individual users have rights to perform specific tasks
     27   - in Microk8s, use `microk8s enable rbac`
     28   - uses `rbac.authorization.k8s.io` API group to drive auth decisions
     29   - declares four Kubernetes objects:
     30     - Role: namespace resource, applies to specific namespace that it belongs to
     31       ```yaml
     32       kind: Role
     33       apiVersion: rbac.authorization.k8s.io/v1
     34       metadata:
     35         namespace: default
     36         name: pod-reader
     37       rules:
     38       - apiGroups: [""] # indicates the core API group
     39         resources: ["pods"]
     40         verbs: ["get", "watch", "list"]
     41       ```
     42 
     43     - ClusterRole: not namespaced, can be used to apply permissions to multiple namespaces or entire cluster
     44     - RoleBindings, ClusterRoleBindings: bind Roles/ClusterRoles to actual users, groups, userids, and service accounts.
     45       ```yaml
     46       kind: RoleBinding
     47       apiVersion: rbac.authorization.k8s.io/v1
     48       metadata:
     49         name: read-pods
     50         namespace: default
     51       subjects:
     52       - kind: User
     53         name: lara
     54         apiGroup: rbac.authorization.k8s.io
     55       roleRef:
     56         kind: Role
     57         name: pod-reader
     58         apiGroup: rbac.authorization.k8s.io
     59       ```
     60    - you can check permissions with e.g. `kubectl auth can-i list pod --namespace default --as lara1`
     61 - Attribute Based access Control: access rights granted to users through policies which combine attributes together
     62 - Node: node authorization authorizes API requests made by kubelets to perform specific API operations
     63 - WebHook: event notification via HTTP POST, web app POSTs message to URL when certain things happen