From 78351ecaf5e57c1c0d3a8160ab847b8d1d470624 Mon Sep 17 00:00:00 2001 From: Tim Bannister Date: Tue, 13 Oct 2020 00:41:38 +0100 Subject: [PATCH] =?UTF-8?q?Transfer=20=E2=80=9CControlling=20Access=20to?= =?UTF-8?q?=20the=20Kubernetes=20API=E2=80=9D=20to=20the=20Concepts=20sect?= =?UTF-8?q?ion?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Readers from several different backgrounds will find it useful to know about how Kubernetes controls access to its API. Promote this overview to the Security subsection of Concepts. --- .../concepts/cluster-administration/_index.md | 2 +- .../docs/concepts/extend-kubernetes/_index.md | 2 +- .../extend-kubernetes/extend-cluster.md | 2 +- .../docs/concepts/overview/kubernetes-api.md | 2 +- .../concepts/policy/pod-security-policy.md | 18 ++-- .../security}/controlling-access.md | 91 +++++++++++-------- content/en/docs/concepts/security/overview.md | 4 +- .../reference/access-authn-authz/_index.md | 26 +++++- .../access-authn-authz/authorization.md | 2 +- content/en/docs/reference/using-api/_index.md | 3 + .../access-cluster.md | 5 +- .../administer-cluster/access-cluster-api.md | 5 +- static/_redirects | 4 +- 13 files changed, 107 insertions(+), 59 deletions(-) rename content/en/docs/{reference/access-authn-authz => concepts/security}/controlling-access.md (58%) diff --git a/content/en/docs/concepts/cluster-administration/_index.md b/content/en/docs/concepts/cluster-administration/_index.md index e35c8e0ebc..c3cbbe46ba 100644 --- a/content/en/docs/concepts/cluster-administration/_index.md +++ b/content/en/docs/concepts/cluster-administration/_index.md @@ -51,7 +51,7 @@ Before choosing a guide, here are some considerations: * [Kubernetes Container Environment](/docs/concepts/containers/container-environment/) describes the environment for Kubelet managed containers on a Kubernetes node. -* [Controlling Access to the Kubernetes API](/docs/reference/access-authn-authz/controlling-access/) describes how to set up permissions for users and service accounts. +* [Controlling Access to the Kubernetes API](/docs/concepts/security/controlling-access) describes how Kubernetes implements access control for its own API. * [Authenticating](/docs/reference/access-authn-authz/authentication/) explains authentication in Kubernetes, including the various authentication options. diff --git a/content/en/docs/concepts/extend-kubernetes/_index.md b/content/en/docs/concepts/extend-kubernetes/_index.md index 4ffb0a831f..429912a9ed 100644 --- a/content/en/docs/concepts/extend-kubernetes/_index.md +++ b/content/en/docs/concepts/extend-kubernetes/_index.md @@ -130,7 +130,7 @@ Adding an API does not directly let you affect the behavior of existing APIs (e. ### API Access Extensions -When a request reaches the Kubernetes API Server, it is first Authenticated, then Authorized, then subject to various types of Admission Control. See [Controlling Access to the Kubernetes API](/docs/reference/access-authn-authz/controlling-access/) for more on this flow. +When a request reaches the Kubernetes API Server, it is first Authenticated, then Authorized, then subject to various types of Admission Control. See [Controlling Access to the Kubernetes API](/docs/concepts/security/controlling-access/) for more on this flow. Each of these steps offers extension points. diff --git a/content/en/docs/concepts/extend-kubernetes/extend-cluster.md b/content/en/docs/concepts/extend-kubernetes/extend-cluster.md index 76c72e74e4..d70f5cc9ff 100644 --- a/content/en/docs/concepts/extend-kubernetes/extend-cluster.md +++ b/content/en/docs/concepts/extend-kubernetes/extend-cluster.md @@ -131,7 +131,7 @@ Adding an API does not directly let you affect the behavior of existing APIs (e. ### API Access Extensions -When a request reaches the Kubernetes API Server, it is first Authenticated, then Authorized, then subject to various types of Admission Control. See [Controlling Access to the Kubernetes API](/docs/reference/access-authn-authz/controlling-access/) for more on this flow. +When a request reaches the Kubernetes API Server, it is first Authenticated, then Authorized, then subject to various types of Admission Control. See [Controlling Access to the Kubernetes API](/docs/concepts/security/controlling-access/) for more on this flow. Each of these steps offers extension points. diff --git a/content/en/docs/concepts/overview/kubernetes-api.md b/content/en/docs/concepts/overview/kubernetes-api.md index d3348849e7..528e665407 100644 --- a/content/en/docs/concepts/overview/kubernetes-api.md +++ b/content/en/docs/concepts/overview/kubernetes-api.md @@ -131,7 +131,7 @@ The Kubernetes API can be extended in one of two ways: - Learn how to extend the Kubernetes API by adding your own [CustomResourceDefinition](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/). -- [Controlling API Access](/docs/reference/access-authn-authz/controlling-access/) describes +- [Controlling Access To The Kubernetes API](/docs/concepts/security/controlling-access/) describes how the cluster manages authentication and authorization for API access. - Learn about API endpoints, resource types and samples by reading [API Reference](/docs/reference/kubernetes-api/). diff --git a/content/en/docs/concepts/policy/pod-security-policy.md b/content/en/docs/concepts/policy/pod-security-policy.md index 22cac5f2a2..299d681d1d 100644 --- a/content/en/docs/concepts/policy/pod-security-policy.md +++ b/content/en/docs/concepts/policy/pod-security-policy.md @@ -140,13 +140,17 @@ For a complete example of authorizing a PodSecurityPolicy, see ### Troubleshooting -- The [Controller Manager](/docs/reference/command-line-tools-reference/kube-controller-manager/) must be run -against [the secured API port](/docs/reference/access-authn-authz/controlling-access/), -and must not have superuser permissions. Otherwise requests would bypass -authentication and authorization modules, all PodSecurityPolicy objects would be -allowed, and users would be able to create privileged containers. For more details -on configuring Controller Manager authorization, see -[Controller Roles](/docs/reference/access-authn-authz/rbac/#controller-roles). +- The [controller manager](/docs/reference/command-line-tools-reference/kube-controller-manager/) + must be run against the secured API port and must not have superuser permissions. See + [Controlling Access to the Kubernetes API](/docs/concepts/security/controlling-access) + to learn about API server access controls. + If the controller manager connected through the trusted API port (also known as the + `localhost` listener), requests would bypass authentication and authorization modules; + all PodSecurityPolicy objects would be allowed, and users would be able to create grant + themselves the ability to create privileged containers. + + For more details on configuring controller manager authorization, see + [Controller Roles](/docs/reference/access-authn-authz/rbac/#controller-roles). ## Policy Order diff --git a/content/en/docs/reference/access-authn-authz/controlling-access.md b/content/en/docs/concepts/security/controlling-access.md similarity index 58% rename from content/en/docs/reference/access-authn-authz/controlling-access.md rename to content/en/docs/concepts/security/controlling-access.md index e0273177aa..62dc273cf7 100644 --- a/content/en/docs/reference/access-authn-authz/controlling-access.md +++ b/content/en/docs/concepts/security/controlling-access.md @@ -4,7 +4,6 @@ reviewers: - lavalamp title: Controlling Access to the Kubernetes API content_type: concept -weight: 5 --- @@ -12,7 +11,7 @@ This page provides an overview of controlling access to the Kubernetes API. -Users [access the API](/docs/tasks/access-application-cluster/access-cluster/) using `kubectl`, +Users access the [Kubernetes API](/docs/concepts/overview/kubernetes-api/) using `kubectl`, client libraries, or by making REST requests. Both human users and [Kubernetes service accounts](/docs/tasks/configure-pod-container/configure-service-account/) can be authorized for API access. @@ -21,45 +20,46 @@ following diagram: ![Diagram of request handling steps for Kubernetes API request](/images/docs/admin/access-control-overview.svg) -## Transport Security +## Transport security -In a typical Kubernetes cluster, the API serves on port 443. -The API server presents a certificate. This certificate is -often self-signed, so `$USER/.kube/config` on the user's machine typically -contains the root certificate for the API server's certificate, which when specified -is used in place of the system default root certificate. This certificate is typically -automatically written into your `$USER/.kube/config` when you create a cluster yourself -using `kube-up.sh`. If the cluster has multiple users, then the creator needs to share -the certificate with other users. +In a typical Kubernetes cluster, the API serves on port 443, protected by TLS. +The API server presents a certificate. This certificate may be signed using +a private certificate authority (CA), or based on a public key infrastructure linked +to a generally recognized CA. + +If your cluster uses a private certificate authority, you need a copy of that CA +certifcate configured into your `~/.kube/config` on the client, so that you can +trust the connection and be confident it was not intercepted. + +Your client can present a TLS client certificate at this stage. ## Authentication Once TLS is established, the HTTP request moves to the Authentication step. This is shown as step **1** in the diagram. The cluster creation script or cluster admin configures the API server to run -one or more Authenticator Modules. -Authenticators are described in more detail [here](/docs/reference/access-authn-authz/authentication/). +one or more Authenticator modules. +Authenticators are described in more detail in +[Authentication](/docs/reference/access-authn-authz/authentication/). -The input to the authentication step is the entire HTTP request, however, it typically +The input to the authentication step is the entire HTTP request; however, it typically just examines the headers and/or client certificate. -Authentication modules include Client Certificates, Password, and Plain Tokens, -Bootstrap Tokens, and JWT Tokens (used for service accounts). +Authentication modules include client certificates, password, and plain tokens, +bootstrap tokens, and JSON Web Tokens (used for service accounts). Multiple authentication modules can be specified, in which case each one is tried in sequence, until one of them succeeds. -On GCE, Client Certificates, Password, Plain Tokens, and JWT Tokens are all enabled. - If the request cannot be authenticated, it is rejected with HTTP status code 401. Otherwise, the user is authenticated as a specific `username`, and the user name is available to subsequent steps to use in their decisions. Some authenticators also provide the group memberships of the user, while other authenticators do not. -While Kubernetes uses `usernames` for access control decisions and in request logging, -it does not have a `user` object nor does it store usernames or other information about -users in its object store. +While Kubernetes uses usernames for access control decisions and in request logging, +it does not have a `User` object nor does it store usernames or other information about +users in its API. ## Authorization @@ -101,16 +101,16 @@ If Bob makes a request to write (`create` or `update`) to the objects in the `pr Kubernetes authorization requires that you use common REST attributes to interact with existing organization-wide or cloud-provider-wide access control systems. It is important to use REST formatting because these control systems might interact with other APIs besides the Kubernetes API. -Kubernetes supports multiple authorization modules, such as ABAC mode, RBAC Mode, and Webhook mode. When an administrator creates a cluster, they configured the authorization modules that should be used in the API server. If more than one authorization modules are configured, Kubernetes checks each module, and if any module authorizes the request, then the request can proceed. If all of the modules deny the request, then the request is denied (HTTP status code 403). +Kubernetes supports multiple authorization modules, such as ABAC mode, RBAC Mode, and Webhook mode. When an administrator creates a cluster, they configure the authorization modules that should be used in the API server. If more than one authorization modules are configured, Kubernetes checks each module, and if any module authorizes the request, then the request can proceed. If all of the modules deny the request, then the request is denied (HTTP status code 403). -To learn more about Kubernetes authorization, including details about creating policies using the supported authorization modules, see [Authorization Overview](/docs/reference/access-authn-authz/authorization/). +To learn more about Kubernetes authorization, including details about creating policies using the supported authorization modules, see [Authorization](/docs/reference/access-authn-authz/authorization/). -## Admission Control +## Admission control -Admission Control Modules are software modules that can modify or reject requests. -In addition to the attributes available to Authorization Modules, Admission -Control Modules can access the contents of the object that is being created or modified. +Admission Control modules are software modules that can modify or reject requests. +In addition to the attributes available to Authorization modules, Admission +Control modules can access the contents of the object that is being created or modified. Admission controllers act on requests that create, modify, delete, or connect to (proxy) an object. Admission controllers do not act on requests that merely read objects. @@ -118,26 +118,26 @@ When multiple admission controllers are configured, they are called in order. This is shown as step **3** in the diagram. -Unlike Authentication and Authorization Modules, if any admission controller module +Unlike Authentication and Authorization modules, if any admission controller module rejects, then the request is immediately rejected. In addition to rejecting objects, admission controllers can also set complex defaults for fields. -The available Admission Control Modules are described [here](/docs/reference/access-authn-authz/admission-controllers/). +The available Admission Control modules are described in [Admission Controllers](/docs/reference/access-authn-authz/admission-controllers/). Once a request passes all admission controllers, it is validated using the validation routines for the corresponding API object, and then written to the object store (shown as step **4**). -## API Server Ports and IPs +## API server ports and IPs The previous discussion applies to requests sent to the secure port of the API server (the typical case). The API server can actually serve on 2 ports: By default the Kubernetes API server serves HTTP on 2 ports: - 1. `Localhost Port`: + 1. `localhost` port: - is intended for testing and bootstrap, and for other components of the master node (scheduler, controller-manager) to talk to the API @@ -148,7 +148,7 @@ By default the Kubernetes API server serves HTTP on 2 ports: - request handled by admission control module(s). - protected by need to have host access - 2. `Secure Port`: + 2. “Secure port”: - use whenever possible - uses TLS. Set cert with `--tls-cert-file` and key with `--tls-private-key-file` flag. @@ -158,8 +158,27 @@ By default the Kubernetes API server serves HTTP on 2 ports: - request handled by admission control module(s). - authentication and authorization modules run. -When the cluster is created by `kube-up.sh`, on Google Compute Engine (GCE), -and on several other cloud providers, the API server serves on port 443. On -GCE, a firewall rule is configured on the project to allow external HTTPS -access to the API. Other cluster setup methods vary. +## {{% heading "whatsnext" %}} +Read more documentation on authentication, authorization and API access control: + +- [Authenticating](/docs/reference/access-authn-authz/authentication/) + - [Authenticating with Bootstrap Tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) +- [Admission Controllers](/docs/reference/access-authn-authz/admission-controllers/) + - [Dynamic Admission Control](/docs/reference/access-authn-authz/extensible-admission-controllers/) +- [Authorization](/docs/reference/access-authn-authz/authorization/) + - [Role Based Access Control](/docs/reference/access-authn-authz/rbac/) + - [Attribute Based Access Control](/docs/reference/access-authn-authz/abac/) + - [Node Authorization](/docs/reference/access-authn-authz/node/) + - [Webhook Authorization](/docs/reference/access-authn-authz/webhook/) +- [Certificate Signing Requests](/docs/reference/access-authn-authz/certificate-signing-requests/) + - including [CSR approval](/docs/reference/access-authn-authz/certificate-signing-requests/#approval-rejection) + and [certificate signing](/docs/reference/access-authn-authz/certificate-signing-requests/#signing) +- Service accounts + - [Developer guide](/docs/tasks/configure-pod-container/configure-service-account/) + - [Administration](/docs/reference/access-authn-authz/service-accounts-admin/) + +You can learn about: +- how Pods can use + [Secrets](/docs/concepts/configuration/secret/#service-accounts-automatically-create-and-attach-secrets-with-api-credentials) + to obtain API credentials. diff --git a/content/en/docs/concepts/security/overview.md b/content/en/docs/concepts/security/overview.md index 98776c7199..fe9129c109 100644 --- a/content/en/docs/concepts/security/overview.md +++ b/content/en/docs/concepts/security/overview.md @@ -103,7 +103,7 @@ areas of security concerns and recommendations for securing workloads running in Area of Concern for Workload Security | Recommendation | ------------------------------ | --------------------- | RBAC Authorization (Access to the Kubernetes API) | https://kubernetes.io/docs/reference/access-authn-authz/rbac/ -Authentication | https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/ +Authentication | https://kubernetes.io/docs/concepts/security/controlling-access/ Application secrets management (and encrypting them in etcd at rest) | https://kubernetes.io/docs/concepts/configuration/secret/
https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ Pod Security Policies | https://kubernetes.io/docs/concepts/policy/pod-security-policy/ Quality of Service (and Cluster resource management) | https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/ @@ -147,8 +147,8 @@ Learn about related Kubernetes security topics: * [Pod security standards](/docs/concepts/security/pod-security-standards/) * [Network policies for Pods](/docs/concepts/services-networking/network-policies/) +* [Controlling Access to the Kubernetes API](/docs/concepts/security/controlling-access) * [Securing your cluster](/docs/tasks/administer-cluster/securing-a-cluster/) -* [API access control](/docs/reference/access-authn-authz/controlling-access/) * [Data encryption in transit](/docs/tasks/tls/managing-tls-in-a-cluster/) for the control plane * [Data encryption at rest](/docs/tasks/administer-cluster/encrypt-data/) * [Secrets in Kubernetes](/docs/concepts/configuration/secret/) diff --git a/content/en/docs/reference/access-authn-authz/_index.md b/content/en/docs/reference/access-authn-authz/_index.md index 4e1bff0818..d999e52bf5 100644 --- a/content/en/docs/reference/access-authn-authz/_index.md +++ b/content/en/docs/reference/access-authn-authz/_index.md @@ -1,4 +1,26 @@ --- -title: Accessing the API +title: API Access Control weight: 20 ---- \ No newline at end of file +no_list: true +--- + +For an introduction to how Kubernetes implements and controls API access, +read [Controlling Access to the Kubernetes API](/docs/concepts/security/controlling-access/). + +Reference documentation: + +- [Authenticating](/docs/reference/access-authn-authz/authentication/) + - [Authenticating with Bootstrap Tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) +- [Admission Controllers](/docs/reference/access-authn-authz/admission-controllers/) + - [Dynamic Admission Control](/docs/reference/access-authn-authz/extensible-admission-controllers/) +- [Authorization](/docs/reference/access-authn-authz/authorization/) + - [Role Based Access Control](/docs/reference/access-authn-authz/rbac/) + - [Attribute Based Access Control](/docs/reference/access-authn-authz/abac/) + - [Node Authorization](/docs/reference/access-authn-authz/node/) + - [Webhook Authorization](/docs/reference/access-authn-authz/webhook/) +- [Certificate Signing Requests](/docs/reference/access-authn-authz/certificate-signing-requests/) + - including [CSR approval](/docs/reference/access-authn-authz/certificate-signing-requests/#approval-rejection) + and [certificate signing](/docs/reference/access-authn-authz/certificate-signing-requests/#signing) +- Service accounts + - [Developer guide](/docs/tasks/configure-pod-container/configure-service-account/) + - [Administration](/docs/reference/access-authn-authz/service-accounts-admin/) diff --git a/content/en/docs/reference/access-authn-authz/authorization.md b/content/en/docs/reference/access-authn-authz/authorization.md index dcc270f3cf..304d801120 100644 --- a/content/en/docs/reference/access-authn-authz/authorization.md +++ b/content/en/docs/reference/access-authn-authz/authorization.md @@ -17,7 +17,7 @@ policies using the supported authorization modules. In Kubernetes, you must be authenticated (logged in) before your request can be authorized (granted permission to access). For information about authentication, -see [Controlling Access to the Kubernetes API](/docs/reference/access-authn-authz/controlling-access/). +see [Controlling Access to the Kubernetes API](/docs/concepts/security/controlling-access/). Kubernetes expects attributes that are common to REST API requests. This means that Kubernetes authorization works with existing organization-wide or diff --git a/content/en/docs/reference/using-api/_index.md b/content/en/docs/reference/using-api/_index.md index 51c06024b5..8dc81fe549 100644 --- a/content/en/docs/reference/using-api/_index.md +++ b/content/en/docs/reference/using-api/_index.md @@ -27,6 +27,9 @@ lists the API for Kubernetes version {{< param "version" >}}. For general background information, read [The Kubernetes API](/docs/concepts/overview/kubernetes-api/). +[Controlling Access to the Kubernetes API](/docs/concepts/security/controlling-access/) +describes how clients can authenticate to the Kubernetes API server, and how their +requests are authorized. diff --git a/content/en/docs/tasks/access-application-cluster/access-cluster.md b/content/en/docs/tasks/access-application-cluster/access-cluster.md index d05de37f34..7f74320118 100644 --- a/content/en/docs/tasks/access-application-cluster/access-cluster.md +++ b/content/en/docs/tasks/access-application-cluster/access-cluster.md @@ -149,9 +149,8 @@ certificate. On some clusters, the apiserver does not require authentication; it may serve on localhost, or be protected by a firewall. There is not a standard -for this. [Configuring Access to the API](/docs/reference/access-authn-authz/controlling-access/) -describes how a cluster admin can configure this. Such approaches may conflict -with future high-availability support. +for this. [Controlling Access to the API](/docs/concepts/security/controlling-access) +describes how a cluster admin can configure this. ## Programmatic access to the API diff --git a/content/en/docs/tasks/administer-cluster/access-cluster-api.md b/content/en/docs/tasks/administer-cluster/access-cluster-api.md index d09a29c671..ffe200b118 100644 --- a/content/en/docs/tasks/administer-cluster/access-cluster-api.md +++ b/content/en/docs/tasks/administer-cluster/access-cluster-api.md @@ -148,9 +148,8 @@ certificate. On some clusters, the API server does not require authentication; it may serve on localhost, or be protected by a firewall. There is not a standard -for this. [Configuring Access to the API](/docs/reference/access-authn-authz/controlling-access/) -describes how a cluster admin can configure this. Such approaches may conflict -with future high-availability support. +for this. [Controlling Access to the Kubernetes API](/docs/concepts/security/controlling-access) +describes how you can configure this as a cluster administrator. ### Programmatic access to the API diff --git a/static/_redirects b/static/_redirects index f17a70684b..1e1301da7b 100644 --- a/static/_redirects +++ b/static/_redirects @@ -69,6 +69,7 @@ /docs/api-reference/labels-annotations-taints/ /docs/reference/labels-annotations-taints/ 301 /docs/reference/using-api/api-overview/ /docs/reference/using-api/ 301 +/docs/reference/access-authn-authz/controlling-access/ /docs/concepts/security/controlling-access/ 301 /docs/concepts/abstractions/controllers/garbage-collection/ /docs/concepts/workloads/controllers/garbage-collection/ 301 /docs/concepts/abstractions/controllers/statefulsets/ /docs/concepts/workloads/controllers/statefulset/ 301 @@ -449,7 +450,8 @@ /editdocs/ /docs/contribute/ 301 /docs/home/editdocs/ /docs/contribute/ 301 -/docs/admin/accessing-the-api/ /docs/reference/access-authn-authz/controlling-access/ 301 + +/docs/admin/accessing-the-api/ /docs/concepts/overview/kubernetes-api/ 301 /docs/admin/admission-controllers/ /docs/reference/access-authn-authz/admission-controllers/ 301 /docs/admin/authentication/ /docs/reference/access-authn-authz/authentication/ 301 /docs/admin/bootstrap-tokens/ /docs/reference/access-authn-authz/bootstrap-tokens/ 301