Kubernetes Security Concepts
Internal
API Server Authentication - Identity while Accessing the Cluster
The identity while accessing the Kubernetes cluster is associated with a (usually human) user that is authenticated while accessing the cluster or with a service account, which provides identity to pods and containers running inside the pods, which are making API requests. If an API request is not associated with any of these identities, it is treaded as an anonymous request.
Identities
User
Users are sometimes referred to as "users accounts" or "normal users". There is no "User" Kubernetes API resource, and users cannot be added through an API call. It is assumed that a cluster-independent service manages users. That service can be implemented as a username/password file, a user store like Google Accounts, or an administrator that distributes private keys. When the authentication credentials are presented to the API server, the API server extracts the user name from the credentials (e.g. from the common name field in the "subject" of the certificate, "/CN=alice").
User Operations
- Create a Normal User
- Define a user in EKS:
- Add a Normal User via a Certificate
Group
Anonymous Request
When the API server handles a request, it first attempts to authenticate the identity making the request with one of the available authentication methods. If all authentication methods fail, and if anonymous request support is enabled, the identity is treated as anonymous requests, and given a username of system:anonymous
and a group of system:unauthenticated
.
API Authentication Strategies
Kubernetes provides various authentication strategies to be used by the clients that send API requests into the Kubernetes API server. These authentication strategies are implemented by the server's authentication plugins.
Client X.509 Certificates
Bearer Tokens
kubectl allows specifying a bearer token in-line with --token
:
kubectl --token aHR0c...NiYg get pods
Webhook Token Authentication
EKS Webhook Token Authentication
EKS has native support for webhook token authentication. See:
Service Account Tokens
Static Token File
Bootstrap Tokens
Authenticating Proxy
HTTP Basic Auth
OpenID Connect Tokens
Controlling Access to the Kubernetes API
Role Based Access Control (RBAC)
Pod and Container Security
For more details on pod and container security concepts, including pod and container security contexts and pod security policies, see: