18. Cafe: Kubernetes authentication and authorization with user management and RBAC
We are learning how to deploy Kubernetes into Hetzner cloud in this series:
- Provisioned the server and agent VMs with Terraform and Ansible in the first session
- Deployed k3s last week
- Learned about pods and the Hetzner load balancer
- Ingress controller for load balancer cost savings
We’ll take a break from deploying a Kubernetes cluster this week, and get to know Kubernetes user authentication and authorization from Niclas Mietz.
- Authentication with kubectl in general
- Creating X509 Client Cert for Authentication
- Use of the X509 Client Cert with kubectl
- Role based access control (RBAC) with Kubernetes docs
Clusterprefix for role is cluster wide, a role binding is exclusive for a namespace, docs.
- Switching the Authentication Strategy from X509 Client Cert to OpenID Connect
- Using OpenID tokens, and using Identity Providers (IDPs), docs
- Using GitLab as OpenID Connect identity provider (IdP)
- Kubernetes Authentication Through Dex as OpenID Proxy,
- Start to configure the K3s API Server of k3s with
- Steps for Repeating
Next week, we’ll look into:
- OpenID Connection of the API Server with Dex and GitLab, continued.
- Hetzner storage volumes
Future ideas touch monitoring with Prometheus, GitLab CI/CD deployments and much more :)
Enjoy the session! 🦊