Learn more about Kubernetes authorization, including details about creating policies using the supported authorization modules.
In Kubernetes, you must be authenticated (logged in) before your request can be authorized (granted permission to access). For information about authentication, see Controlling Access to the Kubernetes API.
Kubernetes expects attributes that are common to REST API requests. This means that Kubernetes authorization works with existing organization-wide or cloud-provider-wide access control systems which may handle other APIs besides the Kubernetes API.
Kubernetes authorizes API requests using the API server. It evaluates all of the request attributes against all policies and allows or denies the request. All parts of an API request must be allowed by some policy in order to proceed. This means that permissions are denied by default.
(Although Kubernetes uses the API server, access controls and policies that depend on specific fields of specific kinds of objects are handled by Admission Controllers.)
When multiple authorization modules are configured, each is checked in sequence. If any authorizer approves or denies a request, that decision is immediately returned and no other authorizer is consulted. If all modules have no opinion on the request, then the request is denied. A deny returns an HTTP status code 403.
Kubernetes reviews only the following API request attributes:
user
string provided during authentication./api
or /healthz
.get
, list
, create
, update
, patch
, watch
, delete
, and deletecollection
are used for resource requests. To determine the request verb for a resource API endpoint, see Determine the request verb.get
, post
, put
, and delete
are used for non-resource requests.get
, update
, patch
, and delete
verbs, you must provide the resource name.Non-resource requests Requests to endpoints other than /api/v1/...
or /apis/<group>/<version>/...
are considered "non-resource requests", and use the lower-cased HTTP method of the request as the verb. For example, a GET
request to endpoints like /api
or /healthz
would use get
as the verb.
Resource requests To determine the request verb for a resource API endpoint, review the HTTP verb used and whether or not the request acts on an individual resource or a collection of resources:
HTTP verb | request verb |
---|---|
POST | create |
GET, HEAD | get (for individual resources), list (for collections, including full object content), watch (for watching an individual resource or collection of resources) |
PUT | update |
PATCH | patch |
DELETE | delete (for individual resources), deletecollection (for collections) |
Kubernetes sometimes checks authorization for additional permissions using specialized verbs. For example:
use
verb on podsecuritypolicies
resources in the policy
API group.bind
and escalate
verbs on roles
and clusterroles
resources in the rbac.authorization.k8s.io
API group.impersonate
verb on users
, groups
, and serviceaccounts
in the core API group, and the userextras
in the authentication.k8s.io
API group.The Kubernetes API server may authorize a request using one of several authorization modes:
rbac.authorization.k8s.io
API group to drive authorization decisions, allowing admins to dynamically configure permission policies through the Kubernetes API.--authorization-mode=RBAC
.kubectl
provides the auth can-i
subcommand for quickly querying the API authorization layer. The command uses the SelfSubjectAccessReview
API to determine if the current user can perform a given action, and works regardless of the authorization mode used.
kubectl auth can-i create deployments --namespace dev
The output is similar to this:
yes
kubectl auth can-i create deployments --namespace prod
The output is similar to this:
no
Administrators can combine this with user impersonation to determine what action other users can perform.
kubectl auth can-i list secrets --namespace dev --as dave
The output is similar to this:
no
Similarly, to check whether a ServiceAccount named dev-sa
in Namespace dev
can list Pods in the Namespace target
:
kubectl auth can-i list pods \
--namespace target \
--as system:serviceaccount:dev:dev-sa
The output is similar to this:
yes
SelfSubjectAccessReview
is part of the authorization.k8s.io
API group, which exposes the API server authorization to external services. Other resources in this group include:
SubjectAccessReview
- Access review for any user, not only the current one. Useful for delegating authorization decisions to the API server. For example, the kubelet and extension API servers use this to determine user access to their own APIs.LocalSubjectAccessReview
- Like SubjectAccessReview
but restricted to a specific namespace.SelfSubjectRulesReview
- A review which returns the set of actions a user can perform within a namespace. Useful for users to quickly summarize their own access, or for UIs to hide/show actions.These APIs can be queried by creating normal Kubernetes resources, where the response "status" field of the returned object is the result of the query.
kubectl create -f - -o yaml << EOF
apiVersion: authorization.k8s.io/v1
kind: SelfSubjectAccessReview
spec:
resourceAttributes:
group: apps
resource: deployments
verb: create
namespace: dev
EOF
The generated SelfSubjectAccessReview
is:
apiVersion: authorization.k8s.io/v1
kind: SelfSubjectAccessReview
metadata:
creationTimestamp: null
spec:
resourceAttributes:
group: apps
resource: deployments
namespace: dev
verb: create
status:
allowed: true
denied: false
You must include a flag in your policy to indicate which authorization module your policies include:
The following flags can be used:
--authorization-mode=ABAC
Attribute-Based Access Control (ABAC) mode allows you to configure policies using local files.--authorization-mode=RBAC
Role-based access control (RBAC) mode allows you to create and store policies using the Kubernetes API.--authorization-mode=Webhook
WebHook is an HTTP callback mode that allows you to manage authorization using a remote REST endpoint.--authorization-mode=Node
Node authorization is a special-purpose authorization mode that specifically authorizes API requests made by kubelets.--authorization-mode=AlwaysDeny
This flag blocks all requests. Use this flag only for testing.--authorization-mode=AlwaysAllow
This flag allows all requests. Use this flag only if you do not require authorization for your API requests.You can choose more than one authorization module. Modules are checked in order so an earlier module has higher priority to allow or deny a request.
Users who can create/edit pods in a namespace, either directly or through a controller such as an operator, could escalate their privileges in that namespace.
© 2022 The Kubernetes Authors
Documentation Distributed under CC BY 4.0.
https://kubernetes.io/docs/reference/access-authn-authz/authorization/