Kubernetes Security Concepts: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 7: Line 7:
* https://kubernetes.io/docs/reference/access-authn-authz/#transport-security
* https://kubernetes.io/docs/reference/access-authn-authz/#transport-security


=User Account=
=Service Account=
=Service Account=


A service account provides an identity for processes that run in a [[Kubernetes_Pod_and_Container_Concepts#Pods_and_Service_Accounts|pod]]. Pods that want to interact with the API Server will authenticate with a particular service account. By default, in absence of specific configuration, the pods will authenticate as the [[#Default_Service_Account|default service account]] in the namespace they are running in. A specific service account name can be specified in the [[Kubernetes_Pod_Manifest#serviceAccountName|pod manifest]]. Service accounts are rendered in logs using the following pattern: "system:serviceaccount:''namespace'':''account-name'' (e.g. "system:serviceaccount:blue:default).
Processes in containers inside [[Kubernetes_Pod_and_Container_Concepts#Pods_and_Service_Accounts|pods]] can contact the API server, and they need an identity when doing so. A service account provides the identity for processes that run in a the pod. Processes will authenticate using the identity provided by the service account. By default, in absence of specific configuration, the pods will authenticate as the [[#Default_Service_Account|default service account]] in the namespace they are running in. A specific service account name can be specified in the [[Kubernetes_Pod_Manifest#serviceAccountName|pod manifest]]. Service accounts are rendered in logs using the following pattern: "system:serviceaccount:''namespace'':''account-name'' (e.g. "system:serviceaccount:blue:default).


TODO:
TODO:

Revision as of 00:25, 10 August 2020

Internal

Transport Security

User Account

Service Account

Processes in containers inside pods can contact the API server, and they need an identity when doing so. A service account provides the identity for processes that run in a the pod. Processes will authenticate using the identity provided by the service account. By default, in absence of specific configuration, the pods will authenticate as the default service account in the namespace they are running in. A specific service account name can be specified in the pod manifest. Service accounts are rendered in logs using the following pattern: "system:serviceaccount:namespace:account-name (e.g. "system:serviceaccount:blue:default).

TODO:

Default Service Account

Each namespace comes with a default service account: 

apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
  namespace: default
secrets:
- name: default-token-dddkl

Service Account Operations

Role Based Access Control (RBAC)

Kubernetes Role Based Access Control (RBAC) Concepts
Retrieved from "https://kb.novaordis.com/index.php?title=Kubernetes_Security_Concepts&oldid=68004"