In Deckhouse Kubernetes Platform (DKP), authorization is based on the standard Kubernetes Role-Based Access Control (RBAC) mechanism. This allows for flexible access control for different users, groups, and service accounts, ensuring security and operational control in the cluster.
DKP supports two role models:
- Current: The end-to-end authorization subsystem extends the standard RBAC mechanism using custom resources — ClusterAuthorizationRule and AuthorizationRule.
- Experimental: This model also relies on the standard RBAC mechanism. Access is configured by creating RoleBinding or ClusterRoleBinding resources.
Both models are supported by the user-authz module.
The choice of model depends on security requirements and usage scenarios.
Who gets access and when
There are two main scenarios for granting access in DKP:
- Granting access to users for working via command-line clients, web UI, and other tools used for administration, development, and cluster management.
- Granting access to service accounts for automating tasks such as application deployment and updates (most commonly using the IaC approach). Examples of such services include CI/CD systems, monitoring systems, and others.
After successful authentication, users and service accounts are granted access to cluster resources based on the configured authorization settings.
User authentication
DKP supports multiple user authentication methods. For details, refer to User authentication.
Service account authentication
In Kubernetes, service accounts (ServiceAccount) are special accounts used to automate tasks and interact with the cluster API.
They enable applications and services to securely communicate with the Kubernetes API.
In DKP, service accounts for external services are created in the d8-service-accounts namespace to maintain consistency.
Example manifest for creating a ServiceAccount:
apiVersion: v1
kind: ServiceAccount
metadata:
name: gitlab-runner-deploy
namespace: d8-service-accounts
After creating the ServiceAccount, issue a token so the service can authenticate in the cluster. This is done by creating a secret that contains the access token.
Example manifest for creating a secret with a ServiceAccount token:
apiVersion: v1
kind: Secret
metadata:
name: gitlab-runner-deploy-token
namespace: d8-service-accounts
annotations:
kubernetes.io/service-account.name: gitlab-runner-deploy
type: kubernetes.io/service-account-token