Authorization can be done with https://kubernetes.io/docs/admin/authorization/rbac/
In Tectonic we use OIDC authentication which gives you a User to key off of. But, you can use x509 certificates with O/CN's to key off of too. HTH, Brandon On Wed, Jun 28, 2017 at 2:41 AM Shafreeck Sea <shafre...@gmail.com> wrote: > Hi guys: > > I am a newbie here, maybe I am asking a trivial question. > > I read the docs about section of authentication and authorization, and the > docs said : > > Kubernetes authorizes API requests using the API server. It evaluates all >> of the request attributes against all policies and allows or denies the >> request. All parts of an API request must be allowed by some policy in >> order to proceed. This means that permissions are denied by default. > > > All the permissions are denied by default, why kubectl has full > permissions to access the apiserver ? I know it can be authenticated use > certificate, but how about authorization? > > -- > You received this message because you are subscribed to the Google Groups > "Kubernetes user discussion and Q&A" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to kubernetes-users+unsubscr...@googlegroups.com. > To post to this group, send email to kubernetes-users@googlegroups.com. > Visit this group at https://groups.google.com/group/kubernetes-users. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
