Authentication vs Authorization: What’s the Difference (Kubernetes)

ByJerry Richard
Authentication vs Authorization: What's the Difference (Kubernetes)

Authentication:

Let’s start this with different type of users, Who will be trying to access the cluster (We will use Kubernetes cluster for example)

Type of Users:

  • Admins
  • Developers
  • Bots – Service accounts

So, Basically the way to identify and verify a user or service account.

In Kubernetes, Users are authenticated by API Server (request would come from either by kubectl or api call), There are different type of authentication mechanisms

  • List of username/password in a file
  • Static Token file
  • Certificates
  • LDAP or AD external services

For example: If we take “List of username/password in a file” , User who provide the correct username <-> password will be authenticated and allowed to access the cluster and it is called authentication.

Authorization:

We saw, How users can gain access to a cluster (Authentication), So once they gain access what can they do in a cluster and it is called Authorisation

Why we need Authorisation: Let take the same set of users

Type of Users:

  • Admins
  • Developers
  • Bots – Service accounts

Let’s say. Admin would be allowed to perform any operations in a cluster (like pod creation deletion, node creation and deletion), But soon others need to access the cluster as well. So we need to limit certain privilege to other users.

  • Developers – Only to create and delete pod (Owned by them) and get details about the running pod.
  • Bots – To get access to read-only informations

Below are the Mechanisms, We can achieve authorisation in Kubernetes

  • NODE Authorizer – These would be provided to kubelet (Within the cluster)
  • ABAC : Atribute based Authorization (for external user)
  • RBAC : Role based Authorization (Multiple roles tagged to each and every user based on the user roles)
  • Third party agent for Authorization (Webhoook)

By the above mechanisms, We can limit the user privilege based on “Who can access What” and it is called Authorisation.

Any questions, Please feel free to start a forum conversation. Use chat for quick response

Jerry Richard

Jerry grew up in a small town where he enjoyed playing video games. Once out of the nest, he pursued a Bachelor's degree in Computer Engineering. After college, he ultimately landed in the IT industry. Currently, he has over 10 years of experience. In his spare time, Jerry enjoys spending time with his family.

He is creator of this website - learnerkb.com, A website dedicated to share the mistake and experience learned.

Check my bio for more information About Me

Similar Posts