Authorization with Kubernetes RBAC¶
This guide describes how Arrikto EKF performs authorization based on Kubernetes Role-Based Access Control (RBAC).
This guide assumes that AuthService has already authenticated the client that made the request.
Once AuthService authenticates the client, then Istio Gateway forwards the client request with the corresponding UserID claim configured. Thus, the authorization of the client begins. Here is a step-by-step description of how Kubernetes RBAC authorization works.
Istio Gateway: Forward the request with the UserID header to Kubeflow.
Kubeflow: Use the UserID header and perform a
SubjectAccessReviewcall to the Kubernetes API server for this request.
Kubernetes API server: Respond to Kubeflow on whether or not the client has sufficient permissions to perform this request.
Kubeflow: Execute the requested action.
If the received response indicates that the client is not authorized to perform this request, then Kubeflow does not execute the requested action.
Kubeflow: Respond back to Istio Gateway about the status of the initial request.
For more information check the following documentation:
- Official Kubernetes documentation on Using RBAC Authorization.
- Official Kubernetes documentation on Authorization modes.
- Authorize Identity.
In this guide you gained insight on how Arrikto EKF performs authorization based on Kubernetes Role-Based Access Control (RBAC).
The next guide presents Single Sign-On (SSO).