I have read about rbac, it does not solve my confusion. I use Certificate to authenticate the kubectl user(maybe as foo), I do not assign any role to the user, as expected, it should be denied when accesses the api server which in fact is not.
On Friday, July 7, 2017 at 1:33:30 AM UTC+8, Brandon Philips wrote: > > Authorization can be done with > https://kubernetes.io/docs/admin/authorization/rbac/ > > In Tectonic we use OIDC authentication which gives you a User to key off > of. But, you can use x509 certificates with O/CN's to key off of too. > > HTH, > > Brandon > > On Wed, Jun 28, 2017 at 2:41 AM Shafreeck Sea <shaf...@gmail.com > <javascript:>> wrote: > >> Hi guys: >> >> I am a newbie here, maybe I am asking a trivial question. >> >> I read the docs about section of authentication and authorization, and >> the docs said : >> >> Kubernetes authorizes API requests using the API server. It evaluates all >>> of the request attributes against all policies and allows or denies the >>> request. All parts of an API request must be allowed by some policy in >>> order to proceed. This means that permissions are denied by default. >> >> >> All the permissions are denied by default, why kubectl has full >> permissions to access the apiserver ? I know it can be authenticated use >> certificate, but how about authorization? >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Kubernetes user discussion and Q&A" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to kubernetes-use...@googlegroups.com <javascript:>. >> To post to this group, send email to kubernet...@googlegroups.com >> <javascript:>. >> Visit this group at https://groups.google.com/group/kubernetes-users. >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
