Skip to main content

Day-22 - Understanding Authentication & Authorization inside Kubernetes 🔐

 Day-22 - Understanding Authentication & Authorization inside Kubernetes 🔐

Key Concepts:
🪪 Authentication (Who are you?)
 Verifies your identity using certificates, tokens, or kubeconfig files.
🛡️ Authorization (What can you do?)
 Once identified, Kubernetes checks if you’re allowed to perform the requested action.

Types of Authorization in Kubernetes:
1️⃣ ABAC (Attribute-Based Access Control)
 Permissions defined in a policy file.
 Requires API server restart — not ideal for production.
2️⃣ RBAC (Role-Based Access Control):
 Assigns permissions via roles & role bindings.
 Scalable, flexible, and the most commonly used method today.
3️⃣ Node Authorization:
Grants permissions to kubelets (nodes) to perform actions for the pods running on them.
4️⃣ Webhook Authorization:
 Uses external systems like OPA (Open Policy Agent) for advanced policy control — dynamic and powerful.

Key Learning:
Kubernetes uses a layered approach for access control — combining Node + RBAC + Webhook modes ensures secure, dynamic, and production-ready authorization



Comments

Post a Comment

Popular posts from this blog

  "Cloud zone insights not available yet, please check after some time" message on Aria Automation https://knowledge.broadcom.com/external/article?articleNumber=314894 Products VMware Aria Suite Issue/Introduction Symptoms: The certificate for Aria operations has been replaced since it was initially added to Aria Automation as an integration. When accessing the Insights pane under  Cloud Assembly  ->  Infrastructure  ->  Cloud Zone  ->  Insights  the following message is displayed:   "Cloud zone insights not available yet, please check after some time." The  /var/log/services-logs/prelude/hcmp-service-app/file-logs/hcmp-service-app.log  file contains ssl errors similar to:   2022-08-25T20:06:43.989Z ERROR hcmp-service [host='hcmp-service-app-xxxxxxx-xxxx' thread='Thread-56' user='' org='<org_id>' trace='<trace_id>' parent='<parent_id>' span='<span_id>'] c.v.a.h.a.common.AlertEnu...
Post a Comment
Read more
  Scheduled workflows fail post upgrade of VMware Aria Automation/VMware Aria Orchestrator to version 8.18 Issue/Introduction Workflows scheduled in the VMware Aria Orchestrator fail after upgrading to VMware Aria Automation/VMware Aria Orchestrator version 8.18. The same workflows run successfully when executed manually (without scheduling). Environment   It affects both Standalone VMware Aria Orchestrator and embedded VMware Aria Orchestrator. Cause The issue is due to regressions in the VMware vCenter (VC) plugin on VMware Aria Automation/VMware Aria Orchestrator 8.18. Resolution This is a known issue with the VMware Aria Automation/VMware Aria Orchestrator 8.18 and the workaround is to update the VC plugin on VMware Aria Orchestrator with the latest version (attached with the KB). Alternatively, wait for the official fix in VMware Aria Automation/VMware Aria Orchestrator 8.18.1. Workaround :               Note: Take (non-memory)  sna...
Post a Comment
Read more

Top 10 high-level EC2 scenario-based questions to challenge your AWS & DevOps skills

 Here are 10 high-level EC2 scenario-based questions to challenge your AWS & DevOps skills 1. Your EC2 instance is running but you can’t connect via SSH. What troubleshooting steps will you take?  Check Security Group inbound rules (port 22 open to your IP).  Verify Network ACLs (NACLs not blocking inbound/outbound).  Confirm instance’s Public IP / Elastic IP.  Validate Key Pair and correct permissions on .pem.  Ensure SSM Agent is installed (Session Manager can help).  Check system logs on the console for OS-level issues. 2. You terminated an EC2 instance by mistake. How can you prevent this in the future? Enable Termination Protection in EC2 settings. Use IAM permissions to restrict TerminateInstances. Tag critical instances and set resource policies. 3. Your EC2 instance needs to access an S3 bucket securely. What’s the best way to configure this? Best practice: Attach an IAM Role with least privilege policy to the EC2 instance. Avoid hardcoding...
Post a Comment
Read more