Authorization

Once a request is authenticated, it needs to be authorized to be able to proceed through the Kubernetes system and perform its intended action.

There are two main authorization modes and two global Deny/Allow settings. The main modes are:

• RBAC

• Webhook.

They can be configured as kube-apiserver startup options:

--authorization-mode=RBAC

--authorization-mode=Webhook

--authorization-mode=AlwaysDeny

--authorization-mode=AlwaysAllow

The authorization modes implement policies to allow requests. Attributes of the requests are checked against the policies (e.g. user, group, namespace, verb).