Kubernetes Security

Authentication

All Kubernetes clusters have two types of users:

  • service accounts

  • normal users

Normal Users

  • Normal users are managed outside of Kubernetes.

  • Kubernetes does not have objects which represent normal user accounts.

  • Normal users cannot be added to a cluster through an API call.

Service Accounts

  • These are user accounts managed by the Kubernetes API.

  • It uses signed bearer tokens to verify requests.

  • Service accounts are tied to a set of credentials (or bearer tokens) stored as Secrets, which are mounted into pods at well known locations, allowing in-cluster processes to talk to the Kubernetes API server.

  • Service accounts may be explicitly associated with pods using the serviceAccountName field of a pod spec.

  • Service account credentials are mounted at /var/run/secrets/kubernetes.io/serviceaccount of every pod and host the three files ca.crt, namespace and token which is a signed JWT (JSON Web Token) for authentication with the API server.

API Requests

  • All API requests are either through a normal user, service account or anonymous requests.

  • They are either authenticated, or treated as an anonymous user.