What Do You Mean K8s Doesn't Have Users? How Do I Manage User Access Then?

Explore Kubernetes authentication and authorization mechanisms in this 28-minute conference talk from KubeCon + CloudNativeCon North America 2021. Delve into the intricacies of user access management in Kubernetes clusters, including the limitations of client certificate access and the challenges of revoking permissions. Learn about different user identification methods such as X509 certificates, token files, webhook token authentication, and OpenID Connect. Discover how to implement Role-Based Access Control (RBAC) for enhanced security and user segmentation. Gain insights into the transient nature of user data in Kubernetes and strategies for more efficient and secure cluster management. Leave equipped with knowledge to create a robust and convenient access management system for your Kubernetes environment.

Intro
TRY TO REALIZE THE TRUTH
Topics • How AAA works in general
How AAA works in k8s API server • Every call to API is tied to
Two categories of identities • ServiceAccount For processes (pods)
User is a "transient" thing • User data not stored on etcd User info is "just a string"
Ways to identify a user • X509 certs
User identification - client certs • Control plane manages CA
Client cert - gothas (in a typical setup) • CA is static for the lifetime of cluster Other cluster components authenticating with client certs
User identification - token file • CSV file for user tokens
Token file - gotchas • Tokens loaded only at api-server boot • Tokens in plain text Tokens cannot be invalidated
User identification - Webhook Token Auth • External service validating
User identification - OIDC • api-server configured to trust
Comparison / Summary
Authorization • Can a user perform the action?
How to tie users into RBAC
Summary • User is a "transient" thing