Open-Source Wikis

/

Kubernetes

/

Systems

/

Auth and admission

kubernetes/kubernetes

Auth and admission

The Kubernetes auth pipeline is a layered stack of pluggable strategies. Most of the code is in the apiserver staging module (staging/src/k8s.io/apiserver/) so it can be reused by extension API servers, with kube-apiserver-specific composition in pkg/kubeapiserver/. This page is the catalog.

Authentication

Strategy Code When it applies
X509 client cert staging/src/k8s.io/apiserver/pkg/authentication/request/x509 TLS client certs signed by the cluster CA
Bearer token (static file) staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken + token file loader Legacy. Tokens read from --token-auth-file
Service account token pkg/serviceaccount/ + staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount JWT minted by the apiserver for pods. Two flavours: legacy auto-generated, projected bound
OpenID Connect staging/src/k8s.io/apiserver/pkg/authentication/token/oidc Validates JWTs from external IdPs
Webhook staging/src/k8s.io/apiserver/pkg/authentication/request/webhook Delegates to an external HTTPS service
Bootstrap token pkg/registry/core/secret/, validated via staging/src/k8s.io/cluster-bootstrap Used by kubeadm init/join
Anonymous staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous Final fallback. Returns the system:anonymous user
Header authn staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest Front-proxy with pre-authenticated header

The authenticators are composed in pkg/kubeapiserver/authenticator/config.go. The order is fixed; the first to claim the request wins.

The new structured authentication config (--authentication-config) lets admins declare multiple JWT issuers, claim mappings, and authorizer-friendly user/group prefixes in YAML instead of via flags. Schema is in staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1.

Authorization

The kube-apiserver's authorizer is a chain. The first authorizer to return Allow wins; Deny short-circuits the chain; NoOpinion falls through.

Authorizer Code Use case
Always allow staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/builtin.go Testing only
Always deny same Testing only
ABAC staging/src/k8s.io/apiserver/pkg/authorization/abac Legacy file-based
RBAC staging/src/k8s.io/apiserver/pkg/authorization/rbac/ Default. Walks Role/ClusterRole/RoleBinding/ClusterRoleBinding
Node plugin/pkg/auth/authorizer/node/ Restricts kubelets to objects related to their node
Webhook staging/src/k8s.io/apiserver/pkg/authorization/webhook/ External SubjectAccessReview

The Node authorizer is special: it builds a graph of object references (Pod → Secret, Pod → Node, Pod → ConfigMap, Pod → PVC, etc.) so it can answer "may this kubelet read this Secret?" as "is the Secret reachable from any pod scheduled to this kubelet's node?".

Admission

Admission runs after authorization and before storage. Plugins implement either:

  • MutationInterfaceAdmit(ctx, attrs, ...). Allowed to mutate the object.
  • ValidationInterfaceValidate(ctx, attrs, ...). Read-only.

Some plugins implement both. The chain runs all mutating plugins first, then all validating plugins. If a mutating plugin reorders, validating plugins still see the post-mutation object.

Built-in plugins live under plugin/pkg/admission/:

Plugin Role
noderestriction Restrict kubelets to their own Node + Pod writes
serviceaccount Inject SA tokens, default the Pod's SA
podsecurity Pod Security Standards enforcement (uses staging/src/k8s.io/pod-security-admission)
resourcequota ResourceQuota enforcement
limitranger Default container resources from LimitRange
priority Resolve priorityClassName to numeric priority
defaulttolerationseconds Default node-not-ready/unreachable tolerations
eventratelimit Throttle Event creation per origin
namespacelifecycle Block writes to terminating namespaces
mutatingwebhook / validatingwebhook Dynamic admission webhook plugins
validatingadmissionpolicy CEL-based declarative validation
storageobjectinuseprotection Block PV/PVC delete while in use
runtimeclass Validate RuntimeClass references and inject overhead
certificatesubjectrestriction, certificateapproval, certificatesigning CSR plugins
denyserviceexternalips Optionally reject Services with externalIPs
clusterresourcequota (out-of-tree, OpenShift) Per-tenant quota across namespaces

Plugin registration is in pkg/kubeapiserver/options/plugins.go. The set actually enabled for a given apiserver depends on --enable-admission-plugins / --disable-admission-plugins.

Dynamic admission webhooks

MutatingWebhookConfiguration and ValidatingWebhookConfiguration resources let cluster admins point at an external HTTPS service that receives an AdmissionReview and returns a verdict. Implementation:

  • staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/ — generic webhook dispatcher
  • staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/ — ValidatingAdmissionPolicy CEL execution
  • pkg/registry/admissionregistration/ — REST registry for the configuration objects

Webhooks are the standard extension point for things like service-mesh sidecar injection, image-policy controllers, and custom validation that's too dynamic to encode in a CEL policy.

ValidatingAdmissionPolicy (CEL)

A ValidatingAdmissionPolicy is a CEL program plus parameter source. It runs in-process (no extra hop) and is type-checked against the resource schema at registration. Implementation is split:

  • staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/ — runtime
  • pkg/registry/admissionregistration/ — REST registry
  • pkg/controller/validatingadmissionpolicystatus/ — status reconciliation (reports type-check results)

A future MutatingAdmissionPolicy is in development behind a feature gate.

Audit

staging/src/k8s.io/apiserver/pkg/audit/ records every authenticated request. Audit policies (audit.k8s.io/v1) are static YAML files that decide which requests get logged at which stage and at which level. Sinks include:

  • --audit-log-path — log file
  • --audit-webhook-config-file — webhook
  • Dynamic backend (deprecated; backed by an in-cluster audit sink)

Where to make changes

  • New authn strategy: implement authenticator.Request, register in pkg/kubeapiserver/authenticator/config.go.
  • New authz mode: implement authorizer.Authorizer, add to the structured --authorization-config schema.
  • New built-in admission plugin: implement admission.MutationInterface and/or ValidationInterface, drop into plugin/pkg/admission/<name>/, register in pkg/kubeapiserver/options/plugins.go.
  • New dynamic admission feature: extend MutatingWebhookConfiguration / ValidatingAdmissionPolicy types in staging/src/k8s.io/api/admissionregistration/.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Auth and admission – Kubernetes wiki | Factory