1
Q
What kind of Authorization is supported by Kubernetes?
A
- Node
- Attribute based access control
- role based access control
- webhook
2
Q
What is Node Authorization?
A
- Node Authorizer handels communication from kubelet with the kube apiserver
- everyone part of the SYSTEM:NODES group is handled by the node authorizer
- access within the cluster
3
Q
What is Attribute based Authorization?
A
- a user or a group of users receives a set of permissions
- i.e. dev-user can view/create/delete pods
- implemented through a policy file, with a set of policies defined in a JSON format
- that file is passed into the kube apiserver
{"kind": "Policy", "spec": {"user": "dev-user", "namespace": "*", "resource": "pods", "apiGroup": "*"}}
4
Q
What is a disadvantage of the abac approach?
A
- difficult to manage
- everytime something changes, the files need to be manually changed and the kube apiserver restarted
5
Q
What is Role based Authorization?
A
- a role is created with a set of permissions required for that role
- then the users/groups are associated with that role
- whenever a change needs to be made, only the role needs to be changed
6
Q
What is Webhook Authorization?
A
- used for authorization through external/third party solutions
- kubernetes makes an api request to the open policy agent with information about the user and his access requirement
7
Q
What additional Authorization Modes are available?
A
- always allow
- always deny
-> no authorization checks are applied
8
Q
How do you set the Authorization mode?
A
via –authorization-mode=…
on the kube api server
If not specified, set to always allowed
9
Q
How many Authorization modes can be set for a kube apiserver?
A
Multiple modes in comma separated list
10
Q
What happens, when you have multiple authrization modes configured for a kuber apiserver?
A
- request is authorized using each mode, in the specified order
- whenever a module denies a request, the request is forwarded to the next one in the chain
- as soon as a module approves the request no more checks are done
11
Q
A
CKAD Preparation
flashcards
Decks in class (35)
# Cards
-
Recap Core Concepts30
-
Configuration15
-
Config - ConfigMaps11
-
Config - Secrets13
-
Config - Security in Docker6
-
Config - Security Kontext8
-
Config - Service Accounts18
-
Config - Resource Requirements19
-
Config - Taints and Tolerations13
-
Config - Node Selectors4
-
Config - Node Affinity12
-
Multi-Container Pods13
-
Observability - Readiness Probes7
-
Observability - Liveness Probes5
-
Observability - Container Logging3
-
Observability - Monitor and Debug Applications7
-
POD Design - Labels, Selectors, Annotations7
-
POD Design - Rolling Updates & Rollbacks in Deployments4
-
POD Design - Deployment Strategies8
-
POD Design - Jobs and Cron Jobs17
-
S&N - Services and Ingress17
-
S&N Network Policies13
-
State Persistence - Volumes17
-
Optional - Storage Classes, StatefulSets13
-
Security - Authentication, Authorization, Admission Control11
-
Security - KubeConfig14
-
Security - API Groups7
-
Security Authorization11
-
Security - Role Based Access Control12
-
Security - Admission Controllers14
-
Security - API Versions13
-
Security - Custom Resource Definition & Custom Controllers11
-
Helm - Introduction and Concepts16
-
Testfragen3
-
Kustomize9
