Completed
User identification - OIDC • api-server configured to trust
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
What Do You Mean K8s Doesn't Have Users? How Do I Manage User Access Then?
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 TRY TO REALIZE THE TRUTH
- 3 Topics • How AAA works in general
- 4 How AAA works in k8s API server • Every call to API is tied to
- 5 Two categories of identities • ServiceAccount For processes (pods)
- 6 User is a "transient" thing • User data not stored on etcd User info is "just a string"
- 7 Ways to identify a user • X509 certs
- 8 User identification - client certs • Control plane manages CA
- 9 Client cert - gothas (in a typical setup) • CA is static for the lifetime of cluster Other cluster components authenticating with client certs
- 10 User identification - token file • CSV file for user tokens
- 11 Token file - gotchas • Tokens loaded only at api-server boot • Tokens in plain text Tokens cannot be invalidated
- 12 User identification - Webhook Token Auth • External service validating
- 13 User identification - OIDC • api-server configured to trust
- 14 Comparison / Summary
- 15 Authorization • Can a user perform the action?
- 16 How to tie users into RBAC
- 17 Summary • User is a "transient" thing