The page has been translated by Gen AI.

Authentication and Authorization

Kubernetes Engine applies Kubernetes authentication and RBAC authorization features. It explains how Kubernetes authentication and authorization functions integrate with Kubernetes Engine and IAM.

Kubernetes authentication and authorization

Describes Kubernetes authentication and RBAC authorization features.

Authentication

The Kubernetes API server obtains the information required for authenticating a user (User) or a service account (ServiceAccount) from certificates or authentication tokens, and then carries out the authentication process.

Reference

For a detailed explanation of Kubernetes authentication, refer to the following document. https://kubernetes.io/docs/reference/access-authn-authz/authentication/

Reference

For detailed information on using kubectl and kubeconfig, refer to Accessing the Cluster.

Authorization

The Kubernetes API server uses the user information obtained through the authentication process to verify, via RBAC-related objects, whether the user has permission for the requested operation. RBAC-related objects come in four types as follows.

object	Scope	Explanation
Cluster Role (ClusteRole)	cluster-wide	Definition of permissions across all namespaces in the cluster
ClusterRoleBinding(ClusteRoleBinding)	cluster-wide	Definition of the connection between ClusterRole and user
Roll (Role)	namespace (namespace)	Permission definition for a specific namespace
RoleBinding(RoleBinding)	namespace (namespace)	Definition of the binding between a ClusterRole or Role and a user

Table. RBAC related objects

Reference

For detailed information on Kubernetes RBAC authorization, refer to the following document. https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Roll

Kubernetes defines several cluster roles by default. Some of those cluster roles do not include the prefix (system:). These are cluster roles intended for user use. This includes a superuser role (cluster-admin) applied to the entire cluster using a ClusterRoleBinding, and roles (admin, edit, view) applied to a specific namespace using a RoleBinding.

Default cluster role	Default ClusterRoleBinding	Explanation
cluster-admin	system:masters group	Allows superuser access that can perform any operation on all resources. ClusterRoleBinding grants full control over all resources in the cluster and all namespaces. RoleBinding allows complete control over all resources within the namespace and the namespaces bound to the role.
admin	None	Allows administrator access applied within a namespace using role binding. When used in role binding, it grants read/write access to most resources within the namespace, including the ability to create roles and role bindings inside the namespace. This role does not permit write access to resource quotas or the namespace itself.
edit	None	Allows read/write access to most objects within the namespace. This role does not permit viewing or modifying roles and role bindings. However, because this role can access secrets and run pods as any Account in the namespace, it can obtain the API access level of all Accounts in the namespace.
view	None	Allows read‑only access to view most objects within a namespace. Roles or role bindings cannot be viewed. This role does not permit secret viewing. Reading the contents of a secret would grant access to the credentials of an Account in the namespace, which could then allow API access as any Account in the namespace (a form of privilege escalation).

Table. Description of basic cluster role and cluster role binding

Reference

For detailed information about the user role, refer to the following document. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles

If necessary, you can define additional roles (or cluster roles) beyond the default cluster role, as shown below.

Color mode

# A role that grants permission to view pods in the "default" namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

# A role that grants permission to view pods in the "default" namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

Code block. Role that grants permission to view pods within a namespace

Color mode

# Cluster role that grants permission to view nodes
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-reader
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]

# Cluster role that grants permission to view nodes
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-reader
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]

Code block. Cluster role that grants permission to view nodes

Reference

For detailed explanations about roles and cluster roles, refer to the following document. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole

Role Binding

To manage access to the Kubernetes Engine using Samsung Cloud Platform IAM, you need to understand the relationship between Kubernetes role bindings and IAM. The subjects of a role binding (or cluster role binding) may include individual users (User) or groups (Group).

User corresponds to the Samsung Cloud Platform username, and Group corresponds to the IAM user group name, respectively.

For RoleBinding/ClusterRoleBinding, subjects.kind can be set to one of the following.

User: Samsung Cloud Platform is connected to individual users.
Group: Connected to the Samsung Cloud Platform IAM user group.

Reference

In addition, you can also specify a service account, but service accounts are generally not for end users and cannot be linked to a Samsung Cloud Platform user.

The subjects.name of a role binding/cluster role binding can be specified as follows. If the user is a User: individual Samsung Cloud Platform username (e.g., jane.doe) For a group: Samsung Cloud Platform IAM user group name (e.g., ReadPodsGroup)

Reference

subjects.name is case-sensitive.

In this way, the IAM user group is linked to the group defined in the RoleBinding (or ClusterRoleBinding) of the Kubernetes Engine cluster. It is also granted permission to perform the API actions included in the Role (or ClusterRole) associated with the group.

Example) role binding read-pods #1

The example of writing User (individual Samsung Cloud Platform user) in a role binding is as follows.

Color mode

# This role binding allows the user "jane.doe" to view pods in the "default" namespace.
# The namespace must have a role named "pod-reader".
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
roleRef:
  # The "roleRef" specifies the link to a Role or ClusterRole.
  kind: Role       # Must be Role or ClusterRole.
  name: pod-reader # Must match the name of the Role or ClusterRole you want to bind to.
  apiGroup: rbac.authorization.k8s.io
subjects:
# You can specify one or more "target (subject)".
- kind: User
  name: jane.doe
  apiGroup: rbac.authorization.k8s.io

# This role binding allows the user "jane.doe" to view pods in the "default" namespace.
# The namespace must have a role named "pod-reader".
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
roleRef:
  # The "roleRef" specifies the link to a Role or ClusterRole.
  kind: Role       # Must be Role or ClusterRole.
  name: pod-reader # Must match the name of the Role or ClusterRole you want to bind to.
  apiGroup: rbac.authorization.k8s.io
subjects:
# You can specify one or more "target (subject)".
- kind: User
  name: jane.doe
  apiGroup: rbac.authorization.k8s.io

Code block. Example of writing User (individual Samsung Cloud Platform user) in role binding

When a role binding like the above is created in the cluster, a user whose username is jane.doe is granted permission to perform the API actions defined in the pod-reader role.

Example) role binding read-pods #2

The example of creating a group (IAM user group) in role binding is as follows.

Color mode

# This role binding allows users in the "ReadPodsGroup" group to view pods in the "default" namespace.
# The namespace must have a role called "pod-reader".
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
# You can specify one or more "target (subject)".
- kind: Group
  name: ReadPodsGroup
  apiGroup: rbac.authorization.k8s.io

# This role binding allows users in the "ReadPodsGroup" group to view pods in the "default" namespace.
# The namespace must have a role called "pod-reader".
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
# You can specify one or more "target (subject)".
- kind: Group
  name: ReadPodsGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Example of a RoleBinding that allows the ReadPodsGroup group to list pods.

If a role binding like the above is created in the cluster, users in the IAM user group ReadPodsGroup are granted permission to perform the API actions defined in the role pod-reader.

Example) ClusterRoleBinding read-nodes

Color mode

# This cluster role binding allows users in the "ReadNodesGroup" group to view nodes.
# A cluster role named "node-reader" must exist.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-nodes
roleRef:
  kind: ClusterRole
  name: node-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ReadNodesGroup
  apiGroup: rbac.authorization.k8s.io

# This cluster role binding allows users in the "ReadNodesGroup" group to view nodes.
# A cluster role named "node-reader" must exist.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-nodes
roleRef:
  kind: ClusterRole
  name: node-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ReadNodesGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Example of a cluster role binding that allows node read access for the ReadNodesGroup group.

When a cluster role binding like the above is created in the cluster, users belonging to the IAM user group ReadNodesGroup are granted permission to perform the API actions defined in the cluster role node-reader.

Reference

For detailed instructions on creating role bindings, refer to the following document. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-binding-examples

Predefined roles and role bindings for Samsung Cloud Platform

In the Kubernetes Engine of Samsung Cloud Platform, the cluster role bindings scp-cluster-admin, scp-view, scp-namespace-view, and the cluster role scp-namespace-view are predefined. The table below shows the predefined roles and role bindings for Samsung Cloud Platform and the relationships of Samsung Cloud Platform users. Here, the cluster roles cluster-admin and view are predefined within the Kubernetes cluster. For more details, see role.

ClusterRoleBinding	ClusterRole	subjects (user)
scp-cluster-admin	cluster-admin	Cluster creator username (e.g., jane.doe)
scp-view	view	-
scp-namespace-view	scp-namespace-view	All users authenticated to this cluster

Table. Predefined roles and role bindings for Samsung Cloud Platform, user relationships

According to the cluster role binding scp-cluster-admin, the Kubernetes Engine service creator is granted cluster admin privileges.
Users or groups registered in the cluster role binding scp-view are granted cluster viewer permissions. It is bound to the predefined Kubernetes cluster role view, and does not grant access to cluster‑scoped resources (e.g., namespaces, nodes, ingress classes, etc.) or to secrets within a namespace. For more details, see role.
According to the cluster role binding scp-namespace-view, all users authenticated to the cluster are granted permission to view namespaces.

Reference

Predefined roles and role bindings for Samsung Cloud Platform are created once during cluster service creation.
Users can modify or delete the predefined cluster role bindings and cluster roles for Samsung Cloud Platform as needed.

The details of the predefined roles and role bindings for Samsung Cloud Platform are as follows.

ClusterRoleBinding scp-cluster-admin

Cluster role binding scp-cluster-admin is linked to the cluster role cluster-admin, and is bound to the Samsung Cloud Platform user (Kubernetes Engine cluster creator) according to the subjects field.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
  name: scp-cluster-admin
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: User               
  name: jane.doe # cluster creator username
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
  name: scp-cluster-admin
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: User               
  name: jane.doe # cluster creator username
  apiGroup: rbac.authorization.k8s.io

Code block. Cluster role binding scp-cluster-admin example

ClusterRoleBinding scp-view

ClusterRoleBinding scp-view is bound to the ClusterRole view, and you can add Samsung Cloud Platform users or IAM user groups to the subjects field.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: scp-view
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: scp-view
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io

Code block. ClusterRoleBinding scp-view example

ClusterRole and ClusterRoleBinding scp-namespace-view

The cluster role scp-namespace-view defines view permissions for namespaces. The cluster role binding scp-namespace-view is bound to the cluster role scp-namespace-view, granting namespace read permissions to all authenticated users in the cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: scp-namespace-view
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: scp-namespace-view
roleRef:
  kind: ClusterRole
  name: scp-namespace-view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: scp-namespace-view
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: scp-namespace-view
roleRef:
  kind: ClusterRole
  name: scp-namespace-view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io

Code block. Cluster role and cluster role binding scp-namespace-view example

IAM user group RBAC use case

This chapter explains examples of granting permissions for each major user scenario. The IAM user groups, ClusterRoleBinding/RoleBinding, and ClusterRole names presented here are just examples to aid understanding. Administrators should define and apply appropriate names and permissions as needed.

Scope	use case	IAM user group	ClusterRoleBinding/RoleBinding	ClusterRole	Remarks
cluster	Cluster Administrator	ClusterAdminGroup	ClusterRoleBinding cluster-admin-group	cluster-admin	Administrator for a specific cluster
cluster	Cluster Editor	ClusterEditGroup	ClusterRoleBinding cluster-edit-group	edit	Editor for a specific cluster
cluster	Cluster Viewer	ClusterViewGroup	ClusterRoleBinding cluster-view-group	view	Viewer for a specific cluster
namespace	Namespace Manager	NamespaceAdminGroup	Role binding namespace-admin-group	admin	Administrator for a specific namespace
namespace	Namespace editor	NamespaceEditGroup	Role binding namespace-edit-group	edit	Editor for a specific namespace
namespace	Namespace viewer	NamespaceViewGroup	Role binding namespace-view-group	view	Viewer for a specific namespace

Table. Example of binding IAM user groups and cluster role users by use case

Reference

The cluster roles (cluster-admin, admin, edit, view) shown in the table are predefined within the Kubernetes cluster. For more details, see role.

Cluster Administrator

To create a cluster administrator, follow these steps.

Create an IAM user group named ClusterAdminGroup.

Create a cluster role binding with the following contents in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin-group
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterAdminGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin-group
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterAdminGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create cluster administrator

It is linked with cluster-admin of the base cluster, granting administrator privileges for that cluster.

Cluster Editor

To create a cluster editor, follow these steps.

Create an IAM user group named ClusterEditGroup.

Create a ClusterRoleBinding with the following specifications in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-edit-group
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterEditGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-edit-group
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterEditGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create cluster editor

It is linked with the edit role of the base cluster, granting editor permissions for that cluster.

Cluster Viewer

To create a cluster viewer, follow these steps.

Create an IAM user group named ClusterViewGroup.

Create a ClusterRoleBinding with the following specifications in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-view-group
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterViewGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-view-group
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterViewGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create cluster viewer

It is associated with the view role of the default cluster, granting viewer permissions for that cluster.

Namespace Administrator

To create a namespace manager, follow these steps.

Create an IAM user group named NamespaceAdminGroup.

Create a RoleBinding with the following contents in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-admin-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceAdminGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-admin-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceAdminGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create a namespace manager

It is linked with the admin role of the default cluster, granting administrator privileges for the namespace.

Namespace Editor

To create a namespace editor, follow these steps.

Create an IAM user group named NamespaceEditGroup.

Create a RoleBinding with the following specifications in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-edit-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceEditGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-edit-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceEditGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create namespace editor

It is linked with the default cluster role edit, granting editor permissions for the namespace.

Namespace Viewer

To create a namespace viewer, follow these steps.

Create an IAM user group named NamespaceViewGroup.

Create a RoleBinding with the following contents in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-view-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceViewGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-view-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceViewGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create namespace viewer

It is associated with the default cluster role view, granting viewer permissions for the namespace.

Access Cluster

Using type LoadBalancer service