Kubernetes Authentication and Authorization: A Complete Guide with Execution Steps

Security is a critical pillar in any Kubernetes environment. Kubernetes offers robust authentication and authorization systems that allow you to control who can access your cluster and what they can do.

In this blog, we’ll explore the key concepts, and more importantly, provide detailed instructions on how to configure and execute each method in real-world environments.

Table of Contents

1. What is Authentication in Kubernetes?

2. How to Configure Authentication (Methods)

3. What is Authorization in Kubernetes?

4. Authorization Modes and Execution

5. Implementing RBAC: Step-by-Step

6. Common Scenarios

7. Best Practices

8. Final Thoughts

1. What is Authentication in Kubernetes?

Authentication verifies who is trying to access the Kubernetes API. Kubernetes doesn’t manage users natively but supports various external identity systems.

2. How to Configure Authentication Methods

———

A. Client Certificates

Use Case: Admin access from kubectl with custom certificates

Steps:

1. Generate a private key and certificate signing request (CSR).

openssl genrsa -out user.key 2048

openssl req -new -key user.key -out user.csr -subj "/CN=john"

2. Sign the CSR using Kubernetes CA:

openssl x509 -req -in user.csr -CA /etc/kubernetes/pki/ca.crt \

-CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out user.crt -days 365

3. Configure kubectl:

   
   

   kubectl config set-credentials john --client-certificate=user.crt --client-key=user.key

   kubectl config set-context john-context --cluster=kubernetes --user=john

   kubectl config use-context john-context

   
   

———

B. Bearer Tokens

Use Case: Programmatic or service account access

Steps:

1. Create a Service Account:

kubectl create serviceaccount dev-user

2. Extract token:

SECRET=$(kubectl get sa dev-user -o jsonpath='{.secrets[0].name}')

kubectl get secret $SECRET -o jsonpath='{.data.token}' | base64 --decode

3. Use this token with curl or Postman against the API server.

———

C. OpenID Connect (OIDC)

Use Case: Enterprise SSO with Azure AD, Okta, etc.

Steps:

1. Register your cluster as an application in Azure/Okta.

2. Configure kube-apiserver with:

--oidc-issuer-url=https://login.microsoftonline.com/{tenant-id}/v2.0

--oidc-client-id=my-k8s-app

--oidc-username-claim=email

3. Use kubectl config set-credentials to configure user token from IdP.

⸻

D. Webhook Token Authentication

Use Case: Integrate with custom auth services

Steps:

1. Create an HTTP webhook server that returns user info as per Kubernetes webhook token auth spec.

2. Update API server with:

--authentication-token-webhook-config-file=/etc/kubernetes/webhook-config.yaml

——-

E.

Service Account Tokens

Use Case: Inside Pods accessing Kubernetes API

Steps:

1. Automatically mounted inside /var/run/secrets/kubernetes.io/serviceaccount/token

2. Use in your app or scripts to access API securely

—————

3. What is Authorization in Kubernetes?

Once identity is confirmed, Kubernetes performs authorization to determine if the user or service is allowed to perform the requested action (like creating a pod or reading secrets).

4. Authorization Modes and How to Enable

Configure the following in your API server with the flag:

--authorization-mode=Node,RBAC

Node Mode

• Enables kubelets to perform actions on nodes

• Automatically handled

Webhook Mode