Learn more about Kubernetes authorization, including details about creating policies using the supported authorization modules.
- Determine Whether a Request is Allowed or Denied
- Review Your Request Attributes
- Determine the Request Verb
- Authorization Modes
- Using Flags for Your Authorization Module
- Privilege escalation via pod creation
- What's next
In Kubernetes, you must be authenticated (logged in) before your request can be authorized (granted permission to access). For information about authentication, see Accessing Control Overview.
Kubernetes expects attributes that are common to REST API requests. This means that Kubernetes authorization works with existing organization-wide or cloud-provider-wide access control systems which may handle other APIs besides the Kubernetes API.
Determine Whether a Request is Allowed or Denied
Kubernetes authorizes API requests using the API server. It evaluates all of the request attributes against all policies and allows or denies the request. All parts of an API request must be allowed by some policy in order to proceed. This means that permissions are denied by default.
(Although Kubernetes uses the API server, access controls and policies that depend on specific fields of specific kinds of objects are handled by Admission Controllers.)
When multiple authorization modules are configured, each is checked in sequence. If any authorizer approves or denies a request, that decision is immediately returned and no other authorizer is consulted. If all modules have no opinion on the request, then the request is denied. A deny returns an HTTP status code 403.
Review Your Request Attributes
Kubernetes reviews only the following API request attributes:
- user - The
userstring provided during authentication.
- group - The list of group names to which the authenticated user belongs.
- extra - A map of arbitrary string keys to string values, provided by the authentication layer.
- API - Indicates whether the request is for an API resource.
- Request path - Path to miscellaneous non-resource endpoints like
- API request verb - API verbs like
deletecollectionare used for resource requests. To determine the request verb for a resource API endpoint, see Determine the request verb.
- HTTP request verb - Lowercased HTTP methods like
deleteare used for non-resource requests.
- Resource - The ID or name of the resource that is being accessed (for resource requests only) – For resource requests using
deleteverbs, you must provide the resource name.
- Subresource - The subresource that is being accessed (for resource requests only).
- Namespace - The namespace of the object that is being accessed (for namespaced resource requests only).
- API group - The API GroupA set of related paths in the Kubernetes API. being accessed (for resource requests only). An empty string designates the core API group.
Determine the Request Verb
Non-resource requests Requests to endpoints other than
/apis/<group>/<version>/... are considered “non-resource requests”, and use the lower-cased HTTP method of the request as the verb. For example, a
GET request to endpoints like
/healthz would use
get as the verb.
Resource requests To determine the request verb for a resource API endpoint, review the HTTP verb used and whether or not the request acts on an individual resource or a collection of resources:
|HTTP verb||request verb|
|GET, HEAD||get (for individual resources), list (for collections, including full object content), watch (for watching an individual resource or collection of resources)|
|DELETE||delete (for individual resources), deletecollection (for collections)|
Kubernetes sometimes checks authorization for additional permissions using specialized verbs. For example:
podsecuritypoliciesresources in the
clusterrolesresources in the
serviceaccountsin the core API group, and the
The Kubernetes API server may authorize a request using one of several authorization modes:
- Node - A special-purpose authorization mode that grants permissions to kubelets based on the pods they are scheduled to run. To learn more about using the Node authorization mode, see Node Authorization.
- ABAC - Attribute-based access control (ABAC) defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes (user attributes, resource attributes, object, environment attributes, etc). To learn more about using the ABAC mode, see ABAC Mode.
- RBAC - Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise. In this context, access is the ability of an individual user to perform a specific task, such as view, create, or modify a file. To learn more about using the RBAC mode, see RBAC Mode
- When specified RBAC (Role-Based Access Control) uses the
rbac.authorization.k8s.ioAPI group to drive authorization decisions, allowing admins to dynamically configure permission policies through the Kubernetes API.
- To enable RBAC, start the apiserver with
- When specified RBAC (Role-Based Access Control) uses the
- Webhook - A WebHook is an HTTP callback: an HTTP POST that occurs when something happens; a simple event-notification via HTTP POST. A web application implementing WebHooks will POST a message to a URL when certain things happen. To learn more about using the Webhook mode, see Webhook Mode.
Checking API Access
kubectl provides the
auth can-i subcommand for quickly querying the API authorization layer. The command uses the
SelfSubjectAccessReview API to determine if the current user can perform a given action, and works regardless of the authorization mode used.
kubectl auth can-i create deployments --namespace dev
kubectl auth can-i create deployments --namespace prod
Administrators can combine this with user impersonation to determine what action other users can perform.
kubectl auth can-i list secrets --namespace dev --as dave
SelfSubjectAccessReview is part of the
authorization.k8s.io API group, which exposes the API server authorization to external services. Other resources in this group include:
SubjectAccessReview- Access review for any user, not just the current one. Useful for delegating authorization decisions to the API server. For example, the kubelet and extension API servers use this to determine user access to their own APIs.
SubjectAccessReviewbut restricted to a specific namespace.
SelfSubjectRulesReview- A review which returns the set of actions a user can perform within a namespace. Useful for users to quickly summarize their own access, or for UIs to hide/show actions.
These APIs can be queried by creating normal Kubernetes resources, where the response “status” field of the returned object is the result of the query.
kubectl create -f - -o yaml << EOF
apiVersion: authorization.k8s.io/v1 kind: SelfSubjectAccessReview spec: resourceAttributes: group: apps resource: deployments verb: create namespace: dev EOF apiVersion: authorization.k8s.io/v1 kind: SelfSubjectAccessReview metadata: creationTimestamp: null spec: resourceAttributes: group: apps resource: deployments namespace: dev verb: create status: allowed: true denied: false
Using Flags for Your Authorization Module
You must include a flag in your policy to indicate which authorization module your policies include:
The following flags can be used:
--authorization-mode=ABACAttribute-Based Access Control (ABAC) mode allows you to configure policies using local files.
--authorization-mode=RBACRole-based access control (RBAC) mode allows you to create and store policies using the Kubernetes API.
--authorization-mode=WebhookWebHook is an HTTP callback mode that allows you to manage authorization using a remote REST endpoint.
--authorization-mode=NodeNode authorization is a special-purpose authorization mode that specifically authorizes API requests made by kubelets.
--authorization-mode=AlwaysDenyThis flag blocks all requests. Use this flag only for testing.
--authorization-mode=AlwaysAllowThis flag allows all requests. Use this flag only if you do not require authorization for your API requests.
You can choose more than one authorization module. Modules are checked in order so an earlier module has higher priority to allow or deny a request.
Privilege escalation via pod creation
Users who have the ability to create pods in a namespace can potentially escalate their privileges within that namespace. They can create pods that access their privileges within that namespace. They can create pods that access secrets the user cannot themselves read, or that run under a service account with different/greater permissions.
Caution: System administrators, use care when granting access to pod creation. A user granted permission to create pods (or controllers that create pods) in the namespace can: read all secrets in the namespace; read all config maps in the namespace; and impersonate any service account in the namespace and take any action the account could take. This applies regardless of authorization mode.