What Do You Mean K8s Doesn't Have Users? How Do I Manage User Access Then?

What Do You Mean K8s Doesn't Have Users? How Do I Manage User Access Then?

CNCF [Cloud Native Computing Foundation] via YouTube Direct link

Client cert - gothas (in a typical setup) • CA is static for the lifetime of cluster Other cluster components authenticating with client certs

9 of 17

9 of 17

Client cert - gothas (in a typical setup) • CA is static for the lifetime of cluster Other cluster components authenticating with client certs

Class Central Classrooms beta

YouTube videos curated by Class Central.

Classroom Contents

What Do You Mean K8s Doesn't Have Users? How Do I Manage User Access Then?

Automatically move to the next video in the Classroom when playback concludes

  1. 1 Intro
  2. 2 TRY TO REALIZE THE TRUTH
  3. 3 Topics • How AAA works in general
  4. 4 How AAA works in k8s API server • Every call to API is tied to
  5. 5 Two categories of identities • ServiceAccount For processes (pods)
  6. 6 User is a "transient" thing • User data not stored on etcd User info is "just a string"
  7. 7 Ways to identify a user • X509 certs
  8. 8 User identification - client certs • Control plane manages CA
  9. 9 Client cert - gothas (in a typical setup) • CA is static for the lifetime of cluster Other cluster components authenticating with client certs
  10. 10 User identification - token file • CSV file for user tokens
  11. 11 Token file - gotchas • Tokens loaded only at api-server boot • Tokens in plain text Tokens cannot be invalidated
  12. 12 User identification - Webhook Token Auth • External service validating
  13. 13 User identification - OIDC • api-server configured to trust
  14. 14 Comparison / Summary
  15. 15 Authorization • Can a user perform the action?
  16. 16 How to tie users into RBAC
  17. 17 Summary • User is a "transient" thing

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.