Wajid.Pro
Wajid.Pro
AboutContact
Authorization

Authorization

  • Authorization defines what can someone do after they have been authenticated.
  • The best practice is to provide minimum permissions to every user account or service account.

Authorization Mechanisms in K8s

Always Allow

Allow all the requests made to the KubeAPI Server.

Always Deny

Deny all the requests made to the KubeAPI Server.

Node Authorizer

Used to authorize Kubelet service to send information, about the pods running on the worker nodes, to the KubeAPI server. Kubelet should be part of system:nodes group and have name prefixed with system:node to be authorized by the node authorizer. Node authorizer performs access control within the cluster.

Attribute Based Access Control (ABAC)

Authorize users by specifying the allowed permissions for every user or group. This is done by creating a policy file (JSON) for each user or group and passing it to the KubeAPIServer.
Later, if we want to modify the permissions for a set of users, we need to edit the permissions for all those users and restart the KubeAPIServer. Therefore, ABAC is difficult to manage.
notion image

Role Based Access Control (RBAC)

Instead of defining permissions for each user or group as with ABAC, we define roles with the right set of permissions and associate users and groups to these roles accordingly.
Later, if we want to modify the permissions of a role, we can do it once and it will reflect for all the users who are associated to that role.
notion image

Webhook

We can outsource authorization to a 3rd party solution (eg. Open Policy Agent) outside the K8s cluster using webhooks. K8s will make a request to the the external authorization server with the information about the user and their access requirements and let the authorization server decide whether or not the user should be allowed.
notion image

Setting Authorization Modes

  • Authorization modes are set in the kube-apiserver config (pod or service).
  • AlwaysAllow is the default authorization mode.
  • We can use multiple authorization modes by passing them as comma separated values. The access is decided in the given order. Whenever an authorizer denies the request, it is forwarded to the next authorizer in the chain until an authorizer accepts the request.
      • For example: If a user makes a request, it cannot be processed by the node authorizer, so it denies the request. The request is then forwarded to RBAC which processes the request and allows it. Since the request has been allowed, it will not be forwarded to Webhook.
notion image
notion image

Commands

  • To check the authorization modes in a cluster, run k describe pod kube-apiserver-controlplane -n kube-system and look for --authorization-mode.