3 Identity and Access Management

 

This chapter covers

  • The basics of RBAC
  • Creating roles and role bindings
  • Using certificates to create users and groups
  • Creating service accounts with roles
  • Mounting service accounts to pods

3.1 Role-based Access Control (RBAC)

In order to access the resources within a Kubernetes cluster, you must be authenticated. If you remember from chapter 2, we used the kubectl tool to interface with the Kubernetes API. We were allowed to do this because we had a client certificate which carried a token to authenticate with.

Figure 3.1 Using a certificate and token to access the Kubernetes API

You can authenticate in different ways via authentication plugins. Some of these plugins come out of the box with Kubernetes, so that’s why we didn’t need to install some of them separately. The built-in plugin that we use with kubectl is called the certificates plugin. There are many other authentication plugins that are sources for authentication. Here are some common plugins:

  • Static Token file
  • 3rd party identity service (AWS IAM)
  • Basic HTTP authentication (token passed in an HTTP header)
  • More, which can be enabled when starting the API server
Figure 3.2 Many different authentication plugins can be used to access the Kubernetes API

3.1.1 Roles and Role Bindings

3.1.2 System Roles and Groups

3.2 Users and Groups

3.3 Service Accounts

3.4 Exam Exercises

3.5 Summary

sitemap