Authorization with Kubernetes RBAC

This guide describes how Arrikto EKF performs authorization based on Kubernetes Role-Based Access Control (RBAC).

Note

This guide assumes that AuthService has already authenticated the client that made the request.

Step-by-Step Analysis

Once AuthService authenticates the client, then Istio Gateway forwards the client request with the corresponding UserID claim configured. Thus, the authorization of the client begins. Here is a step-by-step description of how Kubernetes RBAC authorization works.

  1. Istio Gateway: Forward the request with the UserID header to Kubeflow.

  2. Kubeflow: Use the UserID header and perform a SubjectAccessReview call to the Kubernetes API server for this request.

  3. Kubernetes API server: Respond to Kubeflow on whether or not the client has sufficient permissions to perform this request.

  4. Kubeflow: Execute the requested action.

    Note

    If the received response indicates that the client is not authorized to perform this request, then Kubeflow does not execute the requested action.

  5. Kubeflow: Respond back to Istio Gateway about the status of the initial request.

See also

For more information check the following documentation:

Summary

In this guide you gained insight on how Arrikto EKF performs authorization based on Kubernetes Role-Based Access Control (RBAC).

What’s Next

The next guide presents Single Sign-On (SSO).