Kubernetes Authentication and Authorization

In this blog, we are going to see about Kubernetes authentication and authorization.

Authentication

In Kubernetes, authentication is the process of verifying whether the user has permission to access the Kubernetes with API calls.

The user must have a valid client certificate which is signed by the CA to authenticate access to the cluster.

There are multiple methods used in authentication such as client certificates, bearer tokens, authentication proxies, etc.

For example, a user sends an API request to the Kubernetes API server for authentication, and the API server checks if the user has a valid client certificate to authenticate.

During authentication, you use the /.kube/config file which contains the information about the cluster and credentials needed for authentication.

An example config file is given below

Authorization

In Kubernetes, authorization is the process of verifying the actions that can performed by the user in the clsuter.

The Kubernetes role-based access control (RBAC) is responsible for checking every API call done by the user if the user has the authorization to do that.

By default, the user will not have permission to do any action on the cluster, the cluster admin has to create a role and cluster role with required permissions and bind it to the user to perform every task.

The user is only authorized to perform the actions specified in the role or cluster role.