Authorization with Kubernetes RBAC¶
This guide describes how Arrikto EKF performs authorization based on Kubernetes Role-Based Access Control (RBAC).
Note
This guide assumes that AuthService has already authenticated the client that made the request.
Step-by-Step Analysis¶
Once AuthService authenticates the client, then Istio Gateway forwards the client request with the corresponding UserID claim configured. Thus, the authorization of the client begins. Here is a step-by-step description of how Kubernetes RBAC authorization works.
Istio Gateway: Forward the request with the UserID header to Kubeflow.
Kubeflow: Use the UserID header and perform a
SubjectAccessReview
call to the Kubernetes API server for this request.Kubernetes API server: Respond to Kubeflow on whether or not the client has sufficient permissions to perform this request.
Kubeflow: Execute the requested action.
Note
If the received response indicates that the client is not authorized to perform this request, then Kubeflow does not execute the requested action.
Kubeflow: Respond back to Istio Gateway about the status of the initial request.
See also
For more information check the following documentation:
- Official Kubernetes documentation on Using RBAC Authorization.
- Official Kubernetes documentation on Authorization modes.
- Authorize Identity.
Summary¶
In this guide you gained insight on how Arrikto EKF performs authorization based on Kubernetes Role-Based Access Control (RBAC).