Kubernetes Security
Authentication
All Kubernetes clusters have two types of users:
service accounts
normal users
Normal Users
Normal users are managed outside of Kubernetes.
Kubernetes does not have objects which represent normal user accounts.
Normal users cannot be added to a cluster through an API call.
Service Accounts
These are user accounts managed by the Kubernetes API.
It uses signed bearer tokens to verify requests.
Service accounts are tied to a set of credentials (or bearer tokens) stored as Secrets, which are mounted into pods at well known locations, allowing in-cluster processes to talk to the Kubernetes API server.
Service accounts may be explicitly associated with pods using the serviceAccountName field of a pod spec.
Service account credentials are mounted at /var/run/secrets/kubernetes.io/serviceaccount of every pod and host the three files ca.crt, namespace and token which is a signed JWT (JSON Web Token) for authentication with the API server.
API Requests
All API requests are either through a normal user, service account or anonymous requests.
They are either authenticated, or treated as an anonymous user.