Chapter 12. Securing the Kubernetes API server
This chapter covers
- Understanding authentication
- What ServiceAccounts are and why they’re used
- Understanding the role-based access control (RBAC) plugin
- Using Roles and RoleBindings
- Using ClusterRoles and ClusterRoleBindings
- Understanding the default roles and bindings
In chapter 8 you learned how applications running in pods can talk to the API server to retrieve or change the state of resources deployed in the cluster. To authenticate with the API server, you used the ServiceAccount token mounted into the pod. In this chapter, you’ll learn what ServiceAccounts are and how to configure their permissions, as well as permissions for other subjects using the cluster.
In the previous chapter, we said the API server can be configured with one or more authentication plugins (and the same is true for authorization plugins). When a request is received by the API server, it goes through the list of authentication plugins, so they can each examine the request and try to determine who’s sending the request. The first plugin that can extract that information from the request returns the username, user ID, and the groups the client belongs to back to the API server core. The API server stops invoking the remaining authentication plugins and continues onto the authorization phase.
Several authentication plugins are available. They obtain the identity of the client using the following methods: