Kubernetes Security Primitives

Introduction

Too types of decisions need to be made:

• Who can access ?
• What can they do ?

From there, we have the following processes:

• Authentication: Decides who can access the server API - Defined with authentication mechanisms.

• Authorization: After being granted access, what are they allowed to do ? - Defined with authorization mechanisms.

TLS Certificates

All communication with the cluster, between the various components such as the ETCD Cluster, kube-controller-manager, scheduler, api server, as well as those running on the working nodes such as the kubelet and kubeproxy is secured using TLS encryption.

Network policies

Network policies determine how applications in the cluster communicate. They allow you to specify which pods can and cannot communicate with each other, as well as with the outside world.

Examples of host security policies

• Block password-based access
• Only allow SSH access using keys