Users, Roles, and Permissions on Kubernetes (RBAC) Overview

Users, Roles, and Permissions on Kubernetes (RBAC) Overview

Users, permissions and roles is a complex topic in Kubernetes. 

This document goes summarily over users, permissions and roles for Kubernetes cluster, and highlight important specificities.

Important concepts related to authentication

In order to be able to understand the following documentation, we suggest being familiar with the following concepts:

NameShort descriptionRelevant documentation
ClusterRoleDefine a role that can be assigned policies at the cluster levelClusterRole
ClusterRoleBindingAssign a Role to a certain user at the cluster levelClusterRoleBinding
CertificateIs used in the cluster to guarantee secrecy for the communication between components, and also for administrator to authenticate against the Api.Manage TLS Certificates in a Cluster
Certificate Signing RequestUsed to sign a certificate by the cluster for authentication purposesManage TLS Certificates in a Cluster
RoleAllow to define a Role and policy at the namespace levelRole
RoleBindingAllow to associate a User with a Role at the namespace levelRoleBinding
SecretsUsed to store password, certificate and registry code in the cluster.Secrets
ServiceAccountUsed for applications, services and administrator to authenticate against Kubernetes APIServiceAccount
TokenUsed to create certificate that are specific to user.Service account tokens
OIDCThird party authentication tool that can be used with a cluster to ease concerns related to Authentication & Authorization.OpenID Connect Tokens

Leaseweb specifics according to Authentication and Authorization

Default authentication for the Kubernetes API

There are multiple ways to access the Kubernetes API (k8s API), the kubectl command, client library or even REST request. Both users and service accounts can be authorized for API access.

The Kubernetes API on Leaseweb Managed Kubernetes server listens on port 6443 on the first non-localhost network interface, protected by TLS. Leaseweb setup one cluster admin and generate a certificate for the cluster that is provided via the Customer Portal “Download Configuration”. If this certificate needs to be revoked, please open a support ticket to make sure it gets rotated.

For more information, please follow our Getting Started with Kubernetes guide.

Authentication

Kubernetes support multiple authentication methods enabled at once. Usually, at least two methods are used:

  • service account tokens for service accounts
  • at least one other method for user authentication.

Multiple authentication modules exist, such as:

  • client certificates
  • password
  • plain tokens
  • bootstrap tokens
  • JSON Web Tokens (used for service accounts)

If the request can’t be authenticated, it will be rejected with a HTTP Status code 401 (Unauthorized).

More information on Authenticators can be found in the section “Authenticating” on the Kubernetes official documentation.

Authorization

The Kubernetes API server may authorize a request using one of several authorization modes:

  • Node
  • ABAC (Attribute-based access control)
  • RBAC (Role-based access control)
  • Webhook (a simple event-notification via HTTP POST)

Leaseweb managed Kubernetes cluster are deployed by default with RBAC authorization.

How to articles

Learn how to setup authorization and authentication on a Leaseweb Managed Kubernetes cluster.

Going over these documents, the reader will be able to create a less privileged user, share a token / certificate with that user and manage his privileges.

GoalAssociated documentation
Learn how to create a token-based KubeconfigCreate a Token-based Kubeconfig
Learn how to create a certificate-based KubeconfigCertificate-based Kubeconfig
Learn how to allow, revoke and Test Users and Permissions on a  clusterManage Users and Permissions

Third-party authentication tools

A common practice is to integrate third-party authentication tool to ease user management or integrate with third-party authentication system.

The following tool are available and have been tested with the Leaseweb Managed Kubernetes:

  • OpenUnison with Keycloak (k8s dashboard included)
  • OpenUnison with Okta (k8s dashboard included)
  • kube-oidc-proxy, either with Keycloak or any other OIDC supported by kube-oidc-proxy *

* kube-oidc-proxy should integrate with most OIDC provider, but some OIDC will require the administrator to setup a proxy.