What Do You Mean K8s Doesn't Have Users? How Do I Manage User Access Then?
CNCF [Cloud Native Computing Foundation] via YouTube
Overview
Syllabus
Intro
TRY TO REALIZE THE TRUTH
Topics • How AAA works in general
How AAA works in k8s API server • Every call to API is tied to
Two categories of identities • ServiceAccount For processes (pods)
User is a "transient" thing • User data not stored on etcd User info is "just a string"
Ways to identify a user • X509 certs
User identification - client certs • Control plane manages CA
Client cert - gothas (in a typical setup) • CA is static for the lifetime of cluster Other cluster components authenticating with client certs
User identification - token file • CSV file for user tokens
Token file - gotchas • Tokens loaded only at api-server boot • Tokens in plain text Tokens cannot be invalidated
User identification - Webhook Token Auth • External service validating
User identification - OIDC • api-server configured to trust
Comparison / Summary
Authorization • Can a user perform the action?
How to tie users into RBAC
Summary • User is a "transient" thing
Taught by
CNCF [Cloud Native Computing Foundation]