Kubernetes Authentication and Authorization System
Supported Versions: Kubernetes 1.31, 1.32, 1.33 Last Updated: February 19, 2026
Overview
Kubernetes' Authentication and Authorization system is a core element of cluster security. This document provides a detailed look at Kubernetes authentication and authorization mechanisms and explains how to configure them in real-world environments.
Authentication
Authentication is the process of verifying that a user or service is who they claim to be. Kubernetes supports multiple authentication methods, and these can be enabled simultaneously.
Authentication Strategies
1. X.509 Certificates
X.509 certificates are the most common authentication method in Kubernetes. Client certificates must be signed by the cluster's Certificate Authority (CA).
Certificate Generation Example:
# Generate private key
openssl genrsa -out john.key 2048
# Generate Certificate Signing Request (CSR)
openssl req -new -key john.key -out john.csr -subj "/CN=john/O=engineering"
# Sign CSR with Kubernetes CA
openssl x509 -req -in john.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out john.crt -days 365kubeconfig Configuration:
apiVersion: v1
kind: Config
clusters:
- name: my-cluster
cluster:
certificate-authority-data: <BASE64_ENCODED_CA_CERT>
server: https://kubernetes.example.com
users:
- name: john
user:
client-certificate-data: <BASE64_ENCODED_CLIENT_CERT>
client-key-data: <BASE64_ENCODED_CLIENT_KEY>
contexts:
- name: john@my-cluster
context:
cluster: my-cluster
user: john
current-context: john@my-cluster2. Service Account Tokens
Service accounts provide identity for processes running inside pods. Each namespace has a default service account, and additional service accounts can be created.
Service Account Creation:
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-service-account
namespace: defaultAssigning Service Account to Pod:
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
serviceAccountName: my-service-account
containers:
- name: my-container
image: nginx3. OpenID Connect (OIDC)
OIDC supports authentication through external identity providers (e.g., Google, Azure AD, Okta).
API Server Configuration Example:
apiVersion: v1
kind: Config
clusters:
- name: my-cluster
cluster:
server: https://kubernetes.example.com
certificate-authority-data: <BASE64_ENCODED_CA_CERT>
users:
- name: oidc-user
user:
auth-provider:
name: oidc
config:
client-id: <CLIENT_ID>
client-secret: <CLIENT_SECRET>
id-token: <ID_TOKEN>
refresh-token: <REFRESH_TOKEN>
idp-issuer-url: https://accounts.google.com
contexts:
- name: oidc-context
context:
cluster: my-cluster
user: oidc-user
current-context: oidc-context4. Webhook Token Authentication
Webhook token authentication validates tokens through an external service.
API Server Configuration:
apiVersion: v1
kind: Config
# ...
authentication:
webhook:
config:
url: https://authn.example.com/authenticate
caCert: <BASE64_ENCODED_CA_CERT>5. Authentication Proxy
An authentication proxy sits in front of the API server to handle authentication.
API Server Configuration:
apiVersion: v1
kind: Config
# ...
authentication:
proxy:
headerName: X-Remote-User
usernameHeaders: ["X-Remote-User"]
groupHeaders: ["X-Remote-Group"]Users and Groups
In Kubernetes, users are classified as follows:
- Regular Users: Managed outside the cluster; Kubernetes does not manage them directly.
- Service Accounts: Accounts managed by the Kubernetes API.
Users can belong to one or more groups, and groups are used in authorization policies.
Authorization
Authorization is the process of verifying whether an authenticated user has permission to perform the requested action. Kubernetes supports multiple authorization modules.
Authorization Modes
1. RBAC (Role-Based Access Control)
RBAC provides role-based access control and is currently the most widely used authorization mechanism in Kubernetes.
Key Concepts:
- Role: Defines permissions within a namespace.
- ClusterRole: Defines cluster-wide permissions.
- RoleBinding: Binds a Role to users, groups, or service accounts.
- ClusterRoleBinding: Binds a ClusterRole to users, groups, or service accounts.
Role Example:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]RoleBinding Example:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: john
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.ioClusterRole Example:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]ClusterRoleBinding Example:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-secrets-global
subjects:
- kind: Group
name: security-team
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io2. ABAC (Attribute-Based Access Control)
ABAC provides attribute-based access control. Policies are defined in JSON files.
Policy Example:
{
"apiVersion": "abac.authorization.kubernetes.io/v1beta1",
"kind": "Policy",
"spec": {
"user": "john",
"namespace": "default",
"resource": "pods",
"readonly": true
}
}3. Node Authorization
Node authorization is used when kubelets access the API server.
4. Webhook Authorization
Webhook authorization makes authorization decisions through an external service.
API Server Configuration:
apiVersion: v1
kind: Config
# ...
authorization:
webhook:
config:
url: https://authz.example.com/authorize
caCert: <BASE64_ENCODED_CA_CERT>Authorization Best Practices
- Principle of Least Privilege: Grant only the minimum necessary permissions.
- Role Separation: Grant appropriate permissions based on roles such as administrators, developers, and operators.
- Namespace Separation: Separate namespaces by team or project and grant appropriate permissions.
- Service Account Separation: Use separate service accounts for each application.
- Regular Auditing: Regularly review and update authorization policies.
Admission Control
Admission control performs additional validation and modification before processing requests after authentication and authorization.
Admission Controller Types
- Mutating Admission Controllers: Can modify requests.
- Validating Admission Controllers: Only validate requests without modification.
Key Admission Controllers
- LimitRanger: Sets resource limits for pods and containers.
- ResourceQuota: Limits resource usage per namespace.
- PodSecurityPolicy: Restricts pod security contexts.
- ServiceAccount: Automatically assigns service accounts to pods.
- DefaultStorageClass: Sets the default storage class.
Dynamic Admission Control
Dynamic admission control is implemented through webhooks:
- MutatingAdmissionWebhook: Can modify requests.
- ValidatingAdmissionWebhook: Only validates requests without modification.
Webhook Configuration Example:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: pod-policy-webhook
webhooks:
- name: pod-policy.example.com
clientConfig:
url: https://pod-policy.example.com/validate
caBundle: <BASE64_ENCODED_CA_CERT>
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations: ["CREATE", "UPDATE"]
scope: "Namespaced"
admissionReviewVersions: ["v1"]
sideEffects: None
timeoutSeconds: 5Practical Implementation Examples
Authentication and Authorization Configuration in EKS
IAM and RBAC Integration
Amazon EKS integrates AWS IAM with Kubernetes RBAC to provide authentication and authorization.
aws-auth ConfigMap:
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: arn:aws:iam::123456789012:role/EKSAdminRole
username: admin
groups:
- system:masters
- rolearn: arn:aws:iam::123456789012:role/EKSDeveloperRole
username: developer
groups:
- developers
mapUsers: |
- userarn: arn:aws:iam::123456789012:user/john
username: john
groups:
- developersOIDC Provider Configuration
# Create OIDC provider
eksctl utils associate-iam-oidc-provider \
--cluster my-cluster \
--approve
# Create IAM role and associate with service account
eksctl create iamserviceaccount \
--name my-service-account \
--namespace default \
--cluster my-cluster \
--attach-policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess \
--approveMulti-tenant Cluster Security
In multi-tenant environments, isolation between tenants is important.
Namespace Isolation:
apiVersion: v1
kind: Namespace
metadata:
name: tenant-a
labels:
tenant: a
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-from-other-namespaces
namespace: tenant-a
spec:
podSelector: {}
ingress:
- from:
- namespaceSelector:
matchLabels:
tenant: aResource Quotas:
apiVersion: v1
kind: ResourceQuota
metadata:
name: tenant-a-quota
namespace: tenant-a
spec:
hard:
pods: "10"
requests.cpu: "4"
requests.memory: 8Gi
limits.cpu: "8"
limits.memory: 16GiSecurity Best Practices
- Regular Certificate Rotation: Renew certificates regularly.
- Disable Service Account Token Auto-mount: Disable automatic service account token mounting when not needed.
- Minimize RBAC Policies: Grant only the minimum necessary permissions.
- Implement Network Policies: Restrict communication between pods.
- Enable Audit Logging: Log and monitor all API requests.
- Configure Security Contexts: Properly configure security contexts for pods and containers.
- Image Scanning: Regularly scan container images for vulnerabilities.
Conclusion
Kubernetes' authentication and authorization system is a core element of cluster security. By selecting appropriate authentication methods, implementing fine-grained access control through RBAC, and applying additional security policies using admission controllers, you can build a secure Kubernetes environment.
Authentication, authorization, and admission control complement each other, and it is important to use them together to implement a Defense in Depth strategy.