Authorization

What can you do?

Kubelet talks to the kube-api through the node authorizer

Any request coming from a user with “system:node:…” and part of the “system:nodes” group are automatically granted node privs. ! Ohhh snap.

Authorization Modes: (—authorization-mode flag on kube-api server, comma separated for multiple modes (Node,RBAC,WebHook)

Processed in order of comma separated list. On deny, it’s forwarded to the next one in the chain.

ABAC (Attribute based access control) Pass the policy file into the api-server on launch. Difficult to manage. (User / group -> permissions) RBAC (Role based access control) Define a role “developers” with permissions Associate devs to that role. Create a role definition file (rbac.authorization.k8s.io/v1 :: Kind: Role) Metadata: Name rules:

• apiGroups: [ “”]
- resources: [“pods”]
- verbs: [“list”, “get”, “create”, “update”, “delete”]
 optional: resourceNames [“blue”, “green”] Create a RoleBinding to link a user to a role.
subjects:
 - kind: User
 name: dev-user
 apiGroup: brace.Authorization.k8s.io Applied to the default namespace 3rd party WebHooks - “Open Policy Agent” (User X requested Y) <—> OPA AlwaysAllow <— DEFAULT ACTION! AlwaysDeny

kubectl auth can-i create deployments
kubectl auth can-i create pods —as dev-user

Roles are defined to a namespace. Namespaces are cluster wide resources.

Resources are either “NameSpaced” or “ClusterScoped”

Cluster scoped resources include nodes, PV, cluster roles, clusterrolebindings, CSRs, namespaces

kubectl api-resources —name-spaced=true

Use cluster role when you want to scope cluster wide resources You CAN create a cluster role for namespaces resources. User will have access to these across all namespaces.

You can allow access to specific resources.