github.com/enmand/kubernetes@v1.2.0-alpha.0/docs/admin/authorization.md (about)

     1  <!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
     2  
     3  <!-- BEGIN STRIP_FOR_RELEASE -->
     4  
     5  <img src="http://kubernetes.io/img/warning.png" alt="WARNING"
     6       width="25" height="25">
     7  <img src="http://kubernetes.io/img/warning.png" alt="WARNING"
     8       width="25" height="25">
     9  <img src="http://kubernetes.io/img/warning.png" alt="WARNING"
    10       width="25" height="25">
    11  <img src="http://kubernetes.io/img/warning.png" alt="WARNING"
    12       width="25" height="25">
    13  <img src="http://kubernetes.io/img/warning.png" alt="WARNING"
    14       width="25" height="25">
    15  
    16  <h2>PLEASE NOTE: This document applies to the HEAD of the source tree</h2>
    17  
    18  If you are using a released version of Kubernetes, you should
    19  refer to the docs that go with that version.
    20  
    21  <strong>
    22  The latest 1.0.x release of this document can be found
    23  [here](http://releases.k8s.io/release-1.0/docs/admin/authorization.md).
    24  
    25  Documentation for other releases can be found at
    26  [releases.k8s.io](http://releases.k8s.io).
    27  </strong>
    28  --
    29  
    30  <!-- END STRIP_FOR_RELEASE -->
    31  
    32  <!-- END MUNGE: UNVERSIONED_WARNING -->
    33  
    34  # Authorization Plugins
    35  
    36  
    37  In Kubernetes, authorization happens as a separate step from authentication.
    38  See the [authentication documentation](authentication.md) for an
    39  overview of authentication.
    40  
    41  Authorization applies to all HTTP accesses on the main (secure) apiserver port.
    42  
    43  The authorization check for any request compares attributes of the context of
    44  the request, (such as user, resource, and namespace) with access
    45  policies.  An API call must be allowed by some policy in order to proceed.
    46  
    47  The following implementations are available, and are selected by flag:
    48    - `--authorization-mode=AlwaysDeny`
    49    - `--authorization-mode=AlwaysAllow`
    50    - `--authorization-mode=ABAC`
    51  
    52  `AlwaysDeny` blocks all requests (used in tests).
    53  `AlwaysAllow` allows all requests; use if you don't need authorization.
    54  `ABAC` allows for user-configured authorization policy.  ABAC stands for Attribute-Based Access Control.
    55  
    56  ## ABAC Mode
    57  
    58  ### Request Attributes
    59  
    60  A request has 5 attributes that can be considered for authorization:
    61    - user (the user-string which a user was authenticated as).
    62    - group (the list of group names the authenticated user is a member of).
    63    - whether the request is readonly (GETs are readonly).
    64    - what resource is being accessed.
    65      - applies only to the API endpoints, such as
    66          `/api/v1/namespaces/default/pods`.  For miscellaneous endpoints, like `/version`, the
    67          resource is the empty string.
    68    - the namespace of the object being access, or the empty string if the
    69          endpoint does not support namespaced objects.
    70  
    71  We anticipate adding more attributes to allow finer grained access control and
    72  to assist in policy management.
    73  
    74  ### Policy File Format
    75  
    76  For mode `ABAC`, also specify `--authorization-policy-file=SOME_FILENAME`.
    77  
    78  The file format is [one JSON object per line](http://jsonlines.org/).  There should be no enclosing list or map, just
    79  one map per line.
    80  
    81  Each line is a "policy object".  A policy object is a map with the following properties:
    82    - `user`, type string; the user-string from `--token-auth-file`. If you specify `user`, it must match the username of the authenticated user.
    83    - `group`, type string; if you specify `group`, it must match one of the groups of the authenticated user.
    84    - `readonly`, type boolean, when true, means that the policy only applies to GET
    85        operations.
    86    - `resource`, type string; a resource from an URL, such as `pods`.
    87    - `namespace`, type string; a namespace string.
    88  
    89  An unset property is the same as a property set to the zero value for its type (e.g. empty string, 0, false).
    90  However, unset should be preferred for readability.
    91  
    92  In the future, policies may be expressed in a JSON format, and managed via a REST
    93  interface.
    94  
    95  ### Authorization Algorithm
    96  
    97  A request has attributes which correspond to the properties of a policy object.
    98  
    99  When a request is received, the attributes are determined.  Unknown attributes
   100  are set to the zero value of its type (e.g. empty string, 0, false).
   101  
   102  An unset property will match any value of the corresponding
   103  attribute.  An unset attribute will match any value of the corresponding property.
   104  
   105  The tuple of attributes is checked for a match against every policy in the policy file.
   106  If at least one line matches the request attributes, then the request is authorized (but may fail later validation).
   107  
   108  To permit any user to do something, write a policy with the user property unset.
   109  To permit an action Policy with an unset namespace applies regardless of namespace.
   110  
   111  ### Examples
   112  
   113   1. Alice can do anything: `{"user":"alice"}`
   114   2. Kubelet can read any pods: `{"user":"kubelet", "resource": "pods", "readonly": true}`
   115   3. Kubelet can read and write events: `{"user":"kubelet", "resource": "events"}`
   116   4. Bob can just read pods in namespace "projectCaribou": `{"user":"bob", "resource": "pods", "readonly": true, "namespace": "projectCaribou"}`
   117  
   118  [Complete file example](http://releases.k8s.io/HEAD/pkg/auth/authorizer/abac/example_policy_file.jsonl)
   119  
   120  ### A quick note on service accounts
   121  
   122  A service account automatically generates a user. The user's name is generated according to the naming convention:
   123  
   124  ```
   125  system:serviceaccount:<namespace>:<serviceaccountname>
   126  ```
   127  
   128  Creating a new namespace also causes a new service account to be created, of this form:*
   129  
   130  ```
   131  system:serviceaccount:<namespace>:default
   132  ```
   133  
   134  For example, if you wanted to grant the default service account in the kube-system full privilege to the API, you would add this line to your policy file:
   135  
   136  ```json
   137  {"user":"system:serviceaccount:kube-system:default"}
   138  ```
   139  
   140  The apiserver will need to be restarted to pickup the new policy lines.
   141  
   142  ## Plugin Development
   143  
   144  Other implementations can be developed fairly easily.
   145  The APIserver calls the Authorizer interface:
   146  
   147  ```go
   148  type Authorizer interface {
   149    Authorize(a Attributes) error
   150  }
   151  ```
   152  
   153  to determine whether or not to allow each API action.
   154  
   155  An authorization plugin is a module that implements this interface.
   156  Authorization plugin code goes in `pkg/auth/authorizer/$MODULENAME`.
   157  
   158  An authorization module can be completely implemented in go, or can call out
   159  to a remote authorization service.  Authorization modules can implement
   160  their own caching to reduce the cost of repeated authorization calls with the
   161  same or similar arguments.  Developers should then consider the interaction between
   162  caching and revocation of permissions.
   163  
   164  
   165  <!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
   166  [![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/authorization.md?pixel)]()
   167  <!-- END MUNGE: GENERATED_ANALYTICS -->