Security - Authentication, Authorization, Admission Control Flashcards
1
Q
What questions are to be made about the kube-apiserver in terms of security?
A
- Who can access?
- What can they do?
2
Q
How is Authentication in kube-apiserver dealt with?
A
- Files: Username and PWs
- Files: Username and Tokens
- Certificates
- External Authentication providers - LDAP
- Service Accounts
3
Q
What Authorization mechanisms exists for kube-apiserver?
A
- Role-based access controls (RBAC) Authorization
- Attribute based access controls (ABAC)
- Node Authorization
- Webhook mode
4
Q
Where is TLS encryption used?
A
- between kube-apiserver and all other components
- like schedulers, controllers, Kubelet, kube-proxy, etcd
5
Q
How is user (admins, devs) access managed in Kubernetes?
A
- managed by kube-apiserver
- it authenticates request
- afterwards processes it
6
Q
What Auth-mechanisms can be configured for the kube-apiserver?
A
- static password file (username + pw)
- static token fole (username + token)
- certificates
- Identity Services (third party)
7
Q
How does static password file authentication work? (Basic)
A
- create a list of users and their password in a csv file
- source for user information
- parts: pw,username,userid
- optionally fourth column: group1
- the file can be passed as on option (–) to the kube-apiserver:
- –basic-auth-file=user-details.csv
- then the kube-apiserver needs to be restarted
8
Q
How can you authenticate yourself in a curl command?
A
with ‘-u “user1:password123”’
9
Q
How does Authentication with a static token file work?
A
- like with a static password file
- four parts:
- token,username,userid,group
10
Q
How can you pass a token-file to the kube-apiserver?
A
–token-auth-file=user-token-details.csv
11
Q
How do you authenticate while communicating with the kube-apiserver
A
in curl command:
‘–header “Authorization: Bearer < token>”’
