Please enable JavaScript.
Coggle requires JavaScript to display documents.
K8s Intermediate - Coggle Diagram
K8s Intermediate
๐ Network Policies
Default Behavior: No restrictions (all traffic allowed)
Effect of Policies:
Deny-by-default for selected pods
Must explicitly allow desired traffic
Selectors:
podSelector: Targets specific pods
namespaceSelector: Targets all pods in a namespace
{} selects all pods in the namespace
Security Benefits:
Fine-grained traffic control
Easier auditing and firewall rule management
Restricts attacker movement
Example:
Web server: Deny all โ Allow only ports 80 & 443
Kubernetes Authentication
Mechanisms
X.509 Client Certificates
Uses Kubernetes Certificate Authority (CA)
Identity verified via signed certificate
Can be used Directly with kubectl
Can be used Through kubeconfig context
Bearer Tokens
Static tokens or HTTP Authorization headers
Used to authenticate API requests
OpenID Connect (OIDC)
Integrates with OIDC-compliant Identity Providers
Enables federated identity and single sign-on (SSO)
Anonymous Requests
No authentication required
Anyone can access the cluster
โ ๏ธ Not recommended for pr
configuration
file
defines
cluster
users
context
Kubernetes Access Control
Mechanisms
๐ 1. Role-Based Access Control (RBAC)
Permissions tied to roles
Roles assigned to users or groups
Commonly used and flexible
๐งพ 2. Attribute-Based Access Control (ABAC)
Permissions defined by policies
Policies use attributes like:
User identity
Resource type
Environment conditions
Object metadata
๐ฅ๏ธ 3. Node Authorization
Specific to Kubelet
Controls what nodes can do
Ensures secure node-level operations
๐๏ธ Namespaces
Purpose: Partition cluster resources
Default Namespaces:
kube-system: Core components
kube-public: Public resources
default: User-created resources
Key Points:
Not isolated by default
Use RBAC and Network Policies for isolation
Useful for organizing and securing workloads