RBAC
Last updated
Was this helpful?
Last updated
Was this helpful?
Because Kubernetes RBAC is REST-based, it maps HTTP verbs to permissions. For example, POST is mapped to the create right.
The main recommendation is to give users the least privileges they need to get the job done.
Kubernetes objects are defined through different API specifications. RBAC is part of the rbac.authorization.k8s.io — this group references four different types of Kubernetes objects:
Role, (WHAT can be done)
can be constrained to specific namespaces
ClusterRole, (WHAT can be done)
allows you to constrain access to resources that are cluster-wide, such as nodes
used for Non-resource REST Endpoints such as /healthz.
RoleBinding, (WHO can do it)
ClusterRoleBinding (WHO can do it)
Kubernetes RBAC differentiates between human resources and software resources:
User Accounts manage the access rights for users,
Service Accounts manage the access rights for software resources.
How kubectl works (partly). The API server executes the following operations sequentially:
On receiving the request, authenticate the user.
When the validation fails, reject the request by returning 401 Unauthorized.
Otherwise, move on to the next stage.
The user is authenticated, but do they have access to the resource?
If they don't, reject the request by returning 403 Forbidden.
Otherwise, continue.