3 Identity and Access Management
This chapter covers
- The basics of RBAC
- Creating roles and role bindings
- Using certificates to create users and groups
- Creating service accounts with roles
- Mounting service accounts to pods
3.1 Role-based Access Control (RBAC)
In order to access the resources within a Kubernetes cluster, you must be authenticated. If you remember from chapter 2, we used the kubectl tool to interface with the Kubernetes API. We were allowed to do this because we had a client certificate which carried a token to authenticate with.
Figure 3.1 Using a certificate and token to access the Kubernetes API
You can authenticate in different ways via authentication plugins. Some of these plugins come out of the box with Kubernetes, so that’s why we didn’t need to install some of them separately. The built-in plugin that we use with kubectl is called the certificates plugin. There are many other authentication plugins that are sources for authentication. Here are some common plugins:
- Static Token file
- 3rd party identity service (AWS IAM)
- Basic HTTP authentication (token passed in an HTTP header)
- More, which can be enabled when starting the API server