By Andrew Chen and Dominik Tornow

Kubernetes is a Container Orchestration Engine designed to host containerized applications on a set of nodes, commonly referred to as a cluster. Using a systems modeling approach, this series aims to advance the understanding of Kubernetes and its underlying concepts.

The Kubernetes API is an Http API that provides Create/Read/Update/Delete access to query and modify the Kubernetes Object Store. Kubernetes supports multiple authentication and authorization strategies to control the access to the API.

Figure 1. Authentication, Impersonation, and Authorization Request Pipeline

This post provides a concise, detailed model of Kubernetes’ Role-based Access Control (RBAC), but may not be suitable as introductory material. The model is supported by partial specifications in TLA+.

Authorization

Conceptually, general authorization may be modeled as a relation hasAccess between a requesting user and a requested operation.

In this example

the tuples (U1, O1) and (U1, O2) are elements of the relation hasAccess.

Therefore the user U1 has access to the operations O1 and O2 but not to the operations O3 and O4.

Role-based Authorization

Conceptually, general role based authorization may be modeled as two relations, a relation matches between a role and a user and a relation grants between a role and an operation.

Role-based Authorization is an additive authorization concept, that is, access to an operation is denied implicitly and granted explicitly.

In this example

the tuple (R1, U1) is an element of the relation matches

the tuples (R1, O1) and (R1, O2) are elements of the relation grants.

Therefore, the user U1 has access to the operations O1 and O2 but not to the operations O3 and O4.

Kubernetes Role-based Authorization

Kubernetes provides 4 Kubernetes Object Kinds to express Role-based Authorization, Roles and Cluster Roles as well as Role Bindings and

Cluster Role Bindings.

The remainder of this post describes how Kubernetes represents Users, Operations, Roles, Role Bindings and their relations.

The Requesting User

Figure 1. User

Figure 1. illustrates Kubernetes’ representation of the requesting user in the context of the authentication and authorization subsystem.

The Kubernetes authentication subsystem maps each incoming HTTP Request to a user.

Kubernetes distinguishes between

User Accounts, representing a person, and

Service Accounts, representing a technical entity.

The Requested Operation