Identity and Access Management (IAM)

Let's go over identity and access management in Kubernetes.

Let's now look at some ways of controlling user access to Kubernetes.

Securing Kubernetes with RBAC

Controlling user access to Kubernetes is important in any production environment. Fortunately, Kubernetes has a robust RBAC subsystem that integrates with existing IAM providers such as Active Directory, other LDAP systems, and cloud-based IAM solutions.

Most organizations already have a centralized IAM provider that’s integrated with company HR systems to simplify employee lifecycle management.

Fortunately, Kubernetes leverages existing IAM providers instead of implementing its own. This means new employees get an identity in the corporate IAM database, and assuming we make them members of the appropriate groups, they will automatically get permissions in Kubernetes. Likewise, when the employee leaves the organization, an HR process will automatically remove their identity from the IAM database, and their Kubernetes access will cease.

RBAC has been a stable Kubernetes feature since v1.8 and we should leverage its full capabilities.

Managing Remote SSH access to cluster nodes

We’ll do almost all Kubernetes administration via REST calls to the API server. This means users should rarely need remote SSH access to Kubernetes cluster nodes. In fact, remote SSH access to cluster nodes should only be for the following types of activity:

  • Node management activities that we cannot perform via the Kubernetes API

  • Break the Glass activities, such as when the API server is down

  • Deep troubleshooting

Multi-factor authentication (MFA)

With great power comes great responsibility.

Accounts with root access to the API server and root access to cluster nodes are extremely powerful and are prime targets for attackers and disgruntled employees. As such, we should protect their use via multi-factor authentication (MFA). This is where a user has to input a username and password, followed by a second stage of authentication. For example:

  • Stage 1: Tests knowledge of a username and password

  • Stage 2: Tests possession of something like a one-time password

We should also secure access to workstations and user profiles that have kubectl installed.

Get hands-on with 1400+ tech skills courses.