3. Authorization - Access Control
● ABAC (Attribute-Based Access Control)
○ Specific every access control by attribute.
4. Authorization - Access Control
● RBAC (Role-Based Access Control)
○ Specific every access control by attribute.
5. Kubernetes Account Type
User Account Service Acccount
Identifier for User Process (run in Pod)
Scope Global By namespace, process
Config Simple Much Complex
6. How to create Service Account
● Service Account:
○ Combination of “SECRET”s.
● Create by command
○ kubectl create serviceaccount jenkins
● Create by yaml
○ apiVersion: v1
kind: ServiceAccount
metadata:
name: build-robot
○ kubectl create -f /tmp/serviceaccount.yaml
serviceaccounts/build-robot
7. SECRET
● Object Storage:
○ OAuth token, SSH Keys.
● Use for:
○ Pod:
■ One pod can assign multiple secrets
○ Service Account:
■ One service account owns multiple secrets
○ Image Pull
■ A sec.ImagePullSecrets is a secret to login private docker registry.
● How to use it:
○ Use it from “Environment Variables”
○ Use it from “Secret Mount”
8. Secret: Prepare secret
● Secret File: (my_password_secret.yaml)
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
password: MWYyZDFlMmU2N2Rm //1f2d1e2e67df
username: YWRtaW4= //admin
● How to use it:
○ Put it into system:
■ kubectl create -f ./secret.yaml
9. Secret: Use Case - Environment Variable
● Pod File: (pod_with_secret.yaml)
● How to use it:
○ Put it into system:
■ kubectl create -f ./pod_with_secret.yaml
10. Secret: Use Case - Security Volume
● Pod File: (secret_volumn.json)
● How to use it:
○ Put it into system:
■ kubectl create -f ./secret_volumn.json
11. Authenitication: httpd
Refer to walkthrough:
https://github.com/aledbf/contrib/blob/6d61ea81bb0bdbbc115cd6a6e9c59ef
653afb213/ingress/controllers/nginx/examples/auth/README.md
12. OAuth Server List
● Go: OpenID Connect Identity (OIDC) and OAuth 2.0 Provider with
Pluggable Connectors
● Go: Auth Boss
● Go: OAuth2
● Go: Docker registry oauth server
● Ruby: OAuth server with UI management system