Please enable JavaScript.
Coggle requires JavaScript to display documents.
Security, RBAC, Security Context, API Access Control, Network Policy, Pods…
Security
RBAC
Role
Collection of permission (rule)
standalone and must be bound to a subject
namespace specific
ClusterRole
Same as Role, but global to the cluster
Reuse across entire cluster
RoleBinding
Connect onr or more subjects to a Role/RoleBinding
ClusterRoleBinding
Security Context
PodSpec section for defining container privileges
If defined at pod level
Default for all containers
Can be overridden and specified per container
Cluster administrators can enforce restrictions with policies
API Access Control
Client Certificates
Common Usage
Cluster Components
Token
Common Usage
Service Account
External Authentication
Common Usage
User
Network Policy
Specify how groups of pod are allowed to communicate with
Each other
Other network endpoint
Use labels to select pods and define rules
Pods
Become isolated by
Defining NetworkPolicy that selects them in a Namespace
Pod will reject any connections that are not explicitly allowed by a NetworkPolicy
Other pods that are not selected will continue to accept traffic
Non-isolated (default)
Accept traffic from any source
Authentication - Service Accounts
Service Account Tokens
Generated automatically when a ServiceAccount object is created
mount inside pods /var/run/secret/kubernetes.io/serviceaccount
spec.serviceAccountName
override default service account