Users, permissions and roles is a complex topic in Kubernetes.
This document goes summarily over users, permissions and roles for Kubernetes cluster, and highlight important specificities.
Important concepts related to authentication
In order to be able to understand the following documentation, we suggest being familiar with the following concepts
| Name | Short description | Relevant documentation |
|---|---|---|
| ClusterRole | Define a role that can be assigned policies at the cluster level | ClusterRole |
| ClusterRoleBinding | Assign a Role to a certain user at the cluster level | ClusterRoleBinding |
| Certificate | Is used in the cluster to guarantee secrecy for the communication between components, and also for administrator to authenticate against the Api. | Manage TLS Certificates in a Cluster |
| Certificate Signing Request | Used to sign a certificate by the cluster for authentication purposes | Manage TLS Certificates in a Cluster |
| Role | Allow to define a Role and policy at the namespace level | Role |
| RoleBinding | Allow to associate a User with a Role at the namespace level | RoleBinding |
| Secrets | Used to store password, certificate and registry code in the cluster. | Secrets |
| ServiceAccount | Used for applications, services and administrator to authenticate against Kubernetes API | ServiceAccount |
| Token | Used to create certificate that are specific to user. | Service account tokens |
| OIDC | Third party authentication tool that can be used with a cluster to ease concerns related to Authentication & Authorization. | OpenID Connect Tokens |
Leaseweb specifics according to Authentication & Authorization
Default authentication for the Kubernetes API
There are multiple ways to access the Kubernetes API (k8s API), the kubectl command, client library or even REST request. Both users and service accounts can be authorized for API access.
The Kubernetes API on Leaseweb Managed Kubernetes server listens on port 6443 on the first non-localhost network interface, protected by TLS. Leaseweb setup one cluster admin and generate a certificate for the cluster that is provided via the customer portal "Download Configuration". If this certificate needs to be revoked, please open a support ticket to make sure it gets rotated.
For more information, please follow our Getting Started with Kubernetes guide.
Authentication
Kubernetes support multiple authentication methods enabled at once. Usually, at least two methods are used:
- service account tokens for service accounts
- at least one other method for user authentication.
Multiple authentication modules exists, such as :
- client certificates
- password
- plain tokens
- bootstrap tokens
- JSON Web Tokens (used for service accounts).
If the request can't be authenticated, it will be rejected with a HTTP Status code 401 (Unauthorized).
More information on Authenticators can be found in the section "Authenticating" on the Kubernetes official documentation.
Authorization
The Kubernetes API server may authorize a request using one of several authorization modes:
- Node
- ABAC (Attribute-based access control)
- RBAC (Role-based access control)
- Webhook (a simple event-notification via HTTP POST)
Leaseweb managed Kubernetes cluster are deployed by default with RBAC authorization.
How to articles
Learn how to setup authorization and authentication on a Leaseweb Managed Kubernetes cluster.
Going over these documents, the reader will be able to create a less privileged user, share a token / certificate with that user and manage his privileges.
Goal | Associated documentation |
|---|---|
| Learn how to create a token-based Kubeconfig | |
| Learn how to create a certificate-based Kubeconfig | |
Learn how to allow, revoke and Test Users and Permissions on a cluster |
Third-party authentication tools
A common practice is to integrate third-party authentication tool to ease user management or integrate with third-party authentication system.
The following tool are available and have been tested with the Leaseweb Managed Kubernetes :
- OpenUnison with Keycloak (k8s dashboard included)
- OpenUnison with Okta (k8s dashboard included)
- kube-oidc-proxy, either with Keycloak or any other OIDC supported by kube-oidc-proxy *
* kube-oidc-proxy should integrate with most OIDC provider, But some OIDC will require the administrator to setup a proxy.