Saiyam Pathak avatar
By Saiyam Pathak
Director of Technical Evangelism


Learn what Kubernetes authentication is and how it works with service accounts and authentication plugins.



Hi. In this video, we'll be discussing Kubernetes authentication. Now first, when the user request comes, the authentication checks whether the credentials in the request are valid or not. Now, there can be two types of users. The first is a regular user, and one is a service account. Now, the regular users are human users. And there is an external user management system that manages them. So, the regular users are not managed by Kubernetes. And even the credential check happens via the external management system. So, the authentication will call the external management system and then the credentials will be checked.

Service accounts

Now, service accounts are Kubernetes objects, and Kubernetes API handles them. They are created as a Kubernetes object service account. Each service account is associated with a secret, and each secret has a token. And that particular token is used for authentication. Before going to the authorization stage, there is something called user info that gets attached to each request. Now, this info will be getting from the external user management for the regular user. And for service accounts, it is natively managed by Kubernetes. So, Username, UID, Groups, and extra fields all will be added before the request goes to the authorization stage after the authentication is passed.

Authentication plugins

There are various authentication plugins like the X509 Client Certs, Static token file, Bootstrap token, Service account token, OpenID connect tokens, Webhook token authentication, Authenticating proxy, and Anonymous auth. So, the authentication will be done by these authentication plugins. And also, the user info is added by these plugins. So, as a summary, we can say on a high level, a user, either a regular one or a service account one, the request is sent with the credentials, and the authentication stage will check for that credentials. If the authentication is valid, it adds the user info and passes it on to the authorization stage. If it's a regular user, everything is managed externally by the user management system, and Kubernetes will directly communicate with the system. If it's a service account, then Kubernetes natively will handle all the authentication and the user info attachment. So, that's it for this lecture. Thanks for watching. See you in the next one.

Don't stop now, check out your next lesson