DEV Community

Sina Tavakkol
Sina Tavakkol

Posted on

40 Days Of Kubernetes (22/40)

Day 22/40

Kubernetes Authentication and Authorization Simply Explained

Video Link
@piyushsachdeva
Git Repository
My Git Repo

We're looking at authorization, kubeconfig and some other concepts.
Actually when you run command kubectl get pods, before you get the result, you will be authenticate and check if you're authorized and permit to run this command in a kubernetes cluster.

Because in the background, some data is sent to the cluster, you are or not authorized to run commands in a cluster.
We are passing these options with a config file called kubeconfig.

The actual command is like:

root@localhost:~# kubectl get nodes --kubeconfig .kube/config
NAME                       STATUS   ROLES           AGE   VERSION
lucky-luke-control-plane   Ready    control-plane   22d   v1.30.0
lucky-luke-worker          Ready    <none>          22d   v1.30.0
lucky-luke-worker2         Ready    <none>          22d   v1.30.0
Enter fullscreen mode Exit fullscreen mode

The details in kubeconfig file include:

  • certificate-authority-data
  • server
  • contexts
  • client-key-data and so on. the context is nothing but the combination of user and cluster. Image description (Photo from the video)
...
contexts:
- context:
    cluster: kind-lucky-luke
    user: kind-lucky-luke
  name: kind-lucky-luke
...
Enter fullscreen mode Exit fullscreen mode

What is Authentication and What is Authorization

Image description
(Photo from the video)

ABAC, Attribute-Based Access Control, defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together.source

RBAC, Role-based access control, is a method of regulating access to computer or network resources based on the roles of individual users within your organization.source

NODE authorization is a special-purpose authorization mode that specifically authorizes API requests made by kubelets.source

A WebHook is an HTTP callback: an HTTP POST that occurs when something happens; a simple event-notification via HTTP POST. A web application implementing WebHooks will POST a message to a URL when certain things happen.
When specified, mode Webhook causes Kubernetes to query an outside REST service when determining user privileges.source


As we are using a kind cluster, we cannot ssh to our node, because it's an docker container. So we can handle it with exec command.

root@localhost:~# docker ps | grep control-plane
f791fa85c269   kindest/node:v1.30.0   "/usr/local/bin/entr…"   3 weeks ago    Up 11 hours   0.0.0.0:30001->30001/tcp, 127.0.0.1:39283->6443/tcp                                            lucky-luke-control-plane
root@localhost:~# docker exec -it lucky-luke-control-plane bash
root@lucky-luke-control-plane:/# cd /etc/kubernetes/manifests/
root@lucky-luke-control-plane:/etc/kubernetes/manifests# ls -l
total 16
-rw------- 1 root root 2418 Jul 23 06:26 etcd.yaml
-rw------- 1 root root 3896 Jul 23 06:26 kube-apiserver.yaml
-rw------- 1 root root 3434 Jul 23 06:26 kube-controller-manager.yaml
-rw------- 1 root root 1463 Jul 23 06:26 kube-scheduler.yaml
Enter fullscreen mode Exit fullscreen mode

If we see the kube-apiserver.yaml file, we can see many options that have passed to starting the service command such as:

...
spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=172.19.0.4
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
...
Enter fullscreen mode Exit fullscreen mode

The authorization-mode is Node and RBAC.
Note Defaults to AlwaysAllow if --authorization-config is not used.
Here for more info about Other options.


The default directory of all certificate which is used by kube-apiserver is:

root@lucky-luke-control-plane:~# ls -l /etc/kubernetes/pki/
total 60
-rw-r--r-- 1 root root 1123 Jul  1 16:16 apiserver-etcd-client.crt
-rw------- 1 root root 1675 Jul  1 16:16 apiserver-etcd-client.key
-rw-r--r-- 1 root root 1176 Jul  1 16:16 apiserver-kubelet-client.crt
-rw------- 1 root root 1679 Jul  1 16:16 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1334 Jul 23 06:26 apiserver.crt
-rw------- 1 root root 1675 Jul 23 06:26 apiserver.key
-rw-r--r-- 1 root root 1107 Jul  1 16:16 ca.crt
-rw------- 1 root root 1675 Jul  1 16:16 ca.key
drwxr-xr-x 2 root root 4096 Jul  1 16:16 etcd
-rw-r--r-- 1 root root 1123 Jul  1 16:16 front-proxy-ca.crt
-rw------- 1 root root 1679 Jul  1 16:16 front-proxy-ca.key
-rw-r--r-- 1 root root 1119 Jul  1 16:16 front-proxy-client.crt
-rw------- 1 root root 1675 Jul  1 16:16 front-proxy-client.key
-rw------- 1 root root 1679 Jul  1 16:16 sa.key
-rw------- 1 root root  451 Jul  1 16:16 sa.pub
Enter fullscreen mode Exit fullscreen mode

There are multiple pair of certificates and key for apiserver, because sometimes it acts as a server and sometimes it acts like a client.

Top comments (0)