Getting Started with Security

Learn about security and related concerns.

Understanding the scenario

Security implementation is a game between a team with a total lock-down strategy and a team that plans to win by providing complete freedom to everyone. You can think of it as a battle between anarchists and totalitarians. The only way the game can be won is if both blend into something new. The only viable strategy is freedom without sacrificing security (too much).

Right now, our cluster is as secure as it can get. There is only one user. No one else can operate it. The others cannot even list the Pods in the cluster.

A single user strategy works well when simulating a cluster on a laptop. It serves the purpose when the only goal is to learn alone.

Exploring the options

The moment we create a “real” cluster where the whole company will collaborate (in some form or another), we’ll need to define (and apply) an authentication and authorization strategy.

If your business is small and there are only a few people who will ever operate the cluster, giving everyone the same cluster-wide administrative set of permissions is a simple and legitimate solution. More often than not, this will not be the case.

Your company probably has people with different levels of trust. Even if that’s not the case, different people will require different levels of access. Some will be allowed to do anything they want, while others will not have any type of access. Most will be able to do something in between. We might choose to give everyone a separate namespace and forbid them from accessing others. Some might be able to operate a production namespace, while others might have an interest only in the one assigned for development and testing.

We can apply an infinite number of permutations. Still, one thing is certain. We will need to create an authentication and authorization mechanism. We’ll most likely need to create permissions that are sometimes applied cluster-wide and, in other cases, limited to namespaces.

Those and many other policies can be created by employing Kubernetes authorization and authentication.

Get hands-on with 1200+ tech skills courses.