By Andrew Chen and Dominik Tornow

Image for post
Image for post
Image for post
Image for post
Figure 1. Authentication, Impersonation, and Authorization Request Pipeline

Authorization

Conceptually, general authorization may be modeled as a relation hasAccess between a requesting user and a requested operation.

Image for post
Image for post

Role-based Authorization

Conceptually, general role based authorization may be modeled as two relations, a relation matches between a role and a user and a relation grants between a role and an operation.

Image for post
Image for post
  • the tuples (R1, O1) and (R1, O2) are elements of the relation grants.

Kubernetes Role-based Authorization

Kubernetes provides 4 Kubernetes Object Kinds to express Role-based Authorization, Roles and Cluster Roles as well as Role Bindings and
Cluster Role Bindings.

Image for post
Image for post

The Requesting User

Image for post
Image for post
Figure 1. User

The Requested Operation

Image for post
Image for post
Figure 2. Operation
Image for post
Image for post
Table 1.1. Resource Requests as Operations for Namespace Kinds
Image for post
Image for post
Table 1.2. Resource Requests as Operations for Non-Namespace Kinds

Roles and Cluster Roles

Image for post
Image for post
Figure 3. Role Objects and Cluster Role Objects

Role Binding and Cluster Role Binding

Image for post
Image for post
Figure 4. Role Binding Objects and Cluster Role Binding Objects
  • a Service Account, or
  • a Group
Image for post
Image for post

Granting Access

Finally, a requesting user has access to a requested operation if there exists a role binding so that the user matches the role binding and a referenced role so that the role grants the requested operation:

Image for post
Image for post

Example

Listing 1.1 and Listing 1.2 show examples of a User Account foo@example.org and a Service Account ChaosMonkey. User Accounts and Service Accounts can (only) be distinguished by their distinct naming patterns.

Listing 1.1 User Account
Listing 1.2 Service Account
Listing 2.1 Cluster Role
Listing 2.2 Role
Listing 3.1 Cluster Role Binding
Listing 3.2 Role Binding

Principal Engineer at Cisco, Office of the CTO

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store