Identity and Access Management (IAM)

Let's go over identity and access management in Kubernetes.

We'll cover the following

Introduction
Managing Remote SSH access to cluster nodes
Multi-factor authentication (MFA)

Let's now look at some ways of controlling user access to Kubernetes.

Introduction

Controlling user access to Kubernetes is important in any production environment. Fortunately, Kubernetes has a robust RBAC subsystem that integrates with existing IAM providers such as Active Directory, other LDAP systems, and cloud-based IAM solutions.

Most organizations already have a centralized IAM provider that’s integrated with company HR systems to simplify employee lifecycle management.

Fortunately, Kubernetes leverages existing IAM providers instead of implementing its own. This means new employees get an identity in the corporate IAM database, and assuming we make them members of the appropriate groups, they will automatically get permissions in Kubernetes. Likewise, when the employee leaves the organization, an HR process will automatically remove their identity from the IAM database, and their Kubernetes access will cease.

RBAC has been a stable Kubernetes feature since v1.8 and we should leverage its full capabilities.

Managing Remote SSH access to cluster nodes

We’ll do almost all Kubernetes administration via REST calls to the API server. This means users should rarely need remote SSH access to Kubernetes cluster nodes. In fact, remote SSH access to cluster nodes should only be for the following types of activity:

Node management activities that we cannot perform via the Kubernetes API
Break the Glass activities, such as when the API server is down
Deep troubleshooting

Multi-factor authentication (MFA)

With great power comes great responsibility.

Accounts with root access to the API server and root access to cluster nodes are extremely powerful and are prime targets for attackers and disgruntled employees. As such, we should protect their use via multi-factor authentication (MFA). This is where a user has to input a username and password, followed by a second stage of authentication. For example:

Stage 1: Tests knowledge of a username and password
Stage 2: Tests possession of something like a one-time password

We should also secure access to workstations and user profiles that have kubectl installed.

Get hands-on with 1400+ tech skills courses.

Kubernetes Primer

Kubernetes Principles of Operation

Getting Kubernetes

Working With Pods: Theory

Working with Pods: Hands-On

Virtual Clusters with Namespaces

Kubernetes Deployments

Kubernetes Services: Theory

Kubernetes Services: Hands-On

Ingress

WebAssembly on Kubernetes

Service Discovery Deep Dive

Kubernetes Storage

ConfigMaps

StatefulSets

API Security and RBAC

Kubernetes API

Threat Modeling Kubernetes

Real-World Kubernetes Security

Conclusion

Identity and Access Management (IAM)

Introduction

Managing Remote SSH access to cluster nodes

Multi-factor authentication (MFA)