Authorization

Question 1

What does authorization answer in Kubernetes after a user has been authenticated?

Answer 1

Authorization answers what actions that user or process is allowed to perform in the cluster after access has already been granted.

Question 2

Why is authorization necessary in a Kubernetes cluster?

Answer 2

Authorization is necessary because different users and applications should have different levels of access instead of everyone having full administrator privileges.

Question 3

What kinds of actions might a cluster administrator be able to perform that should not be given to every user?

Answer 3

An administrator may be able to view create update and delete cluster resources and also change node storage and networking related configuration.

Question 4

Why should developers usually have limited permissions compared to cluster administrators?

Answer 4

Developers may need to deploy and view applications but usually should not be allowed to modify critical cluster infrastructure such as nodes storage or networking.

Question 5

How can authorization help when multiple teams share one cluster using namespaces?

Answer 5

Authorization can restrict users so they can work only inside their own namespaces and not affect workloads or resources belonging to other teams.

Question 6

Which Kubernetes component evaluates authorization for requests coming into the cluster?

Answer 6

The kube API server evaluates authorization for requests after authenticating them.

Question 7

What authorization mechanism is used for kubelets or nodes inside the cluster?

Answer 7

The node authorizer is used for kubelets and other node related requests coming from identities that belong to the system nodes group.

Question 8

What identity pattern must a kubelet follow for the node authorizer to recognize it properly?

Answer 8

A kubelet should use a username prefixed with system node and belong to the system nodes group.

Question 9

What is attribute based access control in Kubernetes?

Answer 9

Attribute based access control maps a user or group directly to a set of permissions through policy definitions.

Question 10

Why is attribute based access control considered difficult to manage?

Answer 10

It is difficult to manage because policy files must be edited manually and the kube API server must be restarted when changes are made.

Question 11

What is the core idea of role based access control in Kubernetes?

Answer 11

Role based access control defines permissions in roles and then assigns users or groups to those roles instead of attaching permissions directly to each user.

Question 12

Why is role based access control easier to manage than attribute based access control?

Answer 12

It is easier because you can change the permissions in one role and all users bound to that role receive the updated access immediately.

Question 13

What is the purpose of the webhook authorization mode?

Answer 13

Webhook authorization lets Kubernetes send authorization decisions to an external system such as Open Policy Agent which decides whether the request should be allowed.

Question 14

What do the AlwaysAllow and AlwaysDeny authorization modes do?

Answer 14

AlwaysAllow approves every request without checks and AlwaysDeny rejects every request.

Question 15

How do you configure authorization modes on the kube API server?

Answer 15

Authorization modes are configured using the authorization mode option on the kube API server.

Question 16

What is the default authorization mode if none is explicitly configured according to the lecture?

Answer 16

The default authorization mode is AlwaysAllow.

Question 17

Can Kubernetes use multiple authorization modes at the same time?

Answer 17

Yes Kubernetes can use multiple authorization modes by listing them in order as a comma separated chain.

Question 18

How does Kubernetes evaluate requests when multiple authorization modes are configured?

Answer 18

Kubernetes checks the request against each mode in order and if one authorizer approves the request the checking stops and access is granted.

Question 19

What happens when one authorization module denies a request in a multi mode chain?

Answer 19

The request is passed to the next authorization module in the chain for evaluation.

Question 20

In the lecture example with node RBAC and webhook configured why would a normal user request move past the node authorizer?

Answer 20

The node authorizer mainly handles node related identities so a normal user request would not match it and would continue to the next authorizer such as RBAC.

Question 21

Which authorization mechanism is presented in the lecture as the standard and most manageable built in approach?

Answer 21

Role based access control is presented as the standard and more manageable built in authorization approach.