What if the Kubernetes API could be used as an Authentication and Authorisation server? If a Role grants access to create and delete Pods, you won't be able to amend Secrets, or create ConfigMaps - for example.Ĭould you use Service Accounts as a mechanism to authenticate requests between apps in the cluster? Service Accounts are then linked to Roles that grant access to resources.
Users and Pods can use those identities as a mechanism to authenticate to the API and issue requests. In Kubernetes, you assign identities using Service Accounts.
Kubernetes as an authentication and authorization server You might not have noticed, but Kubernetes offers the same primitives for implementing authentication and authorization with Service Accounts, Roles and RoleBindings. If the token is valid, it replies to the request.The second app retrieves the token from the request and validates it with Keycloak.The backend makes a request to the second app using the session token.A backend component makes a request to Keycloack with its API key and secret to generate a session token.The same applies to two apps within your infrastructure. Every request is validated and you will be asked to log in again when it's invalid.The session might describe what groups you belong to. A valid session is created for your user.Login using your email and password - your identity is verified.Infrastructure are tools such as Keycloak or Dex. Validate a token - Service to service communication is allowed only if the token is legit for the two services involved.Įxamples of dedicated software that allows you to implement authentication and authorisation.Generate a token with a limited scope, validity and the desired audience.Authenticate the caller - The caller should have a valid and verifiable identity.You could roll out your authentication and authorisation mechanism such as mutual TLS certificates.Īll the authentication and authorisation servers have to do is to:.In this case, there is no need for running a dedicated authentication server. You could use static tokens that don't expire.You have several options when it comes to implementing this authentication mechanism:
0 kommentar(er)
