Internal

• Kubernetes Concepts
• Kubernetes Security Operations
• Linux Security Concepts

API Server Authentication - Identity while Accessing the Cluster

The identity while accessing the Kubernetes cluster is associated with a (usually human) user that is authenticated while accessing the cluster or with a service account, which provides identity to pods and containers running inside the pods, which are making API requests. If an API request is not associated with any of these identities, it is treaded as an anonymous request.

Identities

User

https://kubernetes.io/docs/reference/access-authn-authz/authentication/

Users are sometimes referred to as "users accounts" or "normal users". There is no "User" Kubernetes API resource, and users cannot be added through an API call. It is assumed that a cluster-independent service manages users. That service can be implemented as a username/password file, a user store like Google Accounts, or an administrator that distributes private keys. When the authentication credentials are presented to the API server, the API server extracts the user name from the credentials (e.g. from the common name field in the "subject" of the certificate, "/CN=alice").

User Operations

• Create a Normal User
• Define a user in EKS:
  • Associate an IAM Role with the Kubernetes User
• Add a Normal User via a Certificate

Group

Anonymous Request

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests

When the API server handles a request, it first attempts to authenticate the identity making the request with one of the available authentication methods. If all authentication methods fail, and if anonymous request support is enabled, the identity is treated as anonymous requests, and given a username of system:anonymous and a group of system:unauthenticated.

API Authentication Strategies

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authentication-strategies

Kubernetes provides various authentication strategies to be used by the clients that send API requests into the Kubernetes API server. These authentication strategies are implemented by the server's authentication plugins.

Client X.509 Certificates

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#x509-client-certs

Bearer Tokens

kubectl allows specifying a bearer token in-line with --token:

kubectl --token aHR0c...NiYg get pods

Webhook Token Authentication

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication

EKS Webhook Token Authentication

EKS has native support for webhook token authentication. See:

EKS Webhook Token Authentication

Service Account Tokens

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens

Static Token File

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#static-token-file

Bootstrap Tokens

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#bootstrap-tokens

Authenticating Proxy

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authenticating-proxy

HTTP Basic Auth

OpenID Connect Tokens

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens

Controlling Access to the Kubernetes API

https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/

Role Based Access Control (RBAC)

Kubernetes Role Based Access Control (RBAC) Concepts

Pod and Container Security

For more details on pod and container security concepts, including pod and container security contexts and pod security policies, see:

Pod and Container Security

Cluster Administrator

Miscellaneous Subjects

Certificates Required by a Kubernetes Cluster

https://kubernetes.io/docs/setup/best-practices/certificates/

Transport Security

https://kubernetes.io/docs/reference/access-authn-authz/#transport-security