Kubernetes Security Deep Dive: Auth, AuthZ, and Admission Control
This article explains Kubernetes' comprehensive security architecture, detailing the three critical gates—authentication, authorization, and admission control—along with token, basic, and certificate methods, RBAC policies, service accounts, kubeconfig setup, and practical examples for managing user permissions within clusters.
Kubernetes Security Mechanisms
Kubernetes is a distributed cluster management tool; securing the cluster, especially the API Server, is a primary task. Access to the API Server must pass three checks: Authentication, Authorization, and Admission Control.
Authentication: Identify user identity Authorization: Determine user permissions Admission Control: Evaluate whether the request meets policy
Authentication
Authentication verifies client identity, e.g., username/password. Three common methods are:
HTTP Token authentication – uses a long, unforgeable token string.
HTTP Basic authentication – username and password encoded with Base64.
HTTPS certificate authentication – uses a CA‑signed client certificate for mutual TLS.
Token and Basic authentication are one‑way; HTTPS can provide two‑way authentication.
Service Account and kubeconfig
ServiceAccount creates a token for Pods to access the API Server. The kubeconfig file contains cluster parameters (CA certificate, API Server address) and client credentials (certificate, key) and can be used to switch contexts.
kubectl get saAuthorization
Kubernetes supports several authorization modes set via the --authorization-mode flag:
AlwaysDeny – deny all requests.
AlwaysAllow – allow all requests.
ABAC – attribute‑based access control.
Webhook – external REST service.
RBAC – role‑based access control (default).
RBAC Objects
RBAC defines four top‑level resources: Role, ClusterRole, RoleBinding, and ClusterRoleBinding.
Role applies within a namespace; ClusterRole is cluster‑wide. RoleBinding binds a Role to subjects (User, Group, ServiceAccount) in a namespace; ClusterRoleBinding binds a ClusterRole to subjects across the whole cluster.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get","watch","list"]Admission Control
Admission controllers are plugins that enforce additional policies on API requests. Recommended default plugins include NamespaceLifecycle, LimitRanger, ServiceAccount, DefaultStorageClass, DefaultTolerationSeconds, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota, and NodeRestriction.
Summary
Kubernetes security consists of three layers: Authentication (token, basic, certificate), Authorization (RBAC, ABAC, etc.), and Admission Control (plugin list).
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.