Beta

Kubernetes and Cloud Native Security Associate (KCSA)

Kubernetes Cluster Component Security

API Server

The Kubernetes API server is the central management entity of a cluster. All interactions—whether via kubectl, client libraries, or direct REST calls—route through this component. As the first line of defense, you must tightly control who can communicate with the API server and what operations they can perform.

Key Access-Control Decisions

  1. Authentication: Verify the identity of users or processes.
  2. Authorization: Determine which actions authenticated subjects can execute.

Authentication

Kubernetes supports multiple authentication mechanisms. Choose methods based on your environment’s security requirements:

MethodDescriptionUse Case
Static CredentialsUsername/password pairs defined in filesSmall test clusters
Bearer TokensSecrets or service account tokensAutomated clients, CI/CD pipelines
Client CertificatesX.509 certificates for users and componentsProduction clusters with strong security
External ProvidersIntegrate with LDAP, OIDC, or webhook token authenticationEnterprise SSO
Service AccountsAutomatically managed tokens for in-cluster workloadsPods requiring API access

Note

Service accounts are the default identity for workloads inside a cluster. Always assign the minimal set of permissions.

The image is a slide titled "Authentication" with a focus on access methods, listing options like username and passwords, tokens, certificates, and LDAP.

For detailed setup, see Authentication in Kubernetes.

Authorization

After a user or process is authenticated, Kubernetes must decide which API operations they can perform. The most common authorization module is Role-Based Access Control (RBAC), but other options exist:

ModuleDescription
RBACGrant roles to users or service accounts, defining allowed API groups and resources
ABACPolicy-based on user attributes
Node AuthorizationRestricts kubelet actions to pods running on the same node
Webhook ModeDelegates authorization to an external service

The image is a slide titled "Authorization" with a list of authorization types: RBAC, ABAC, Node Authorization, and Webhook Mode.

Warning

Misconfigured RBAC rules can inadvertently grant excessive privileges. Always follow the principle of least privilege.

Learn more in the Role-Based Access Control documentation.

TLS Encryption Between Components

All communication between the API server and other cluster components is encrypted via TLS. This includes:

  • etcd cluster
  • kube-controller-manager
  • kube-scheduler
  • kubelet and kube-proxy on worker nodes

Maintaining a robust certificate management process is critical to prevent unauthorized access and ensure data integrity.

The image is a diagram showing the relationship between various Kubernetes components (ETCD Cluster, Kubelet, Kube Proxy, Kube Controller Manager, Kube Scheduler) and the Kube ApiServer, with TLS certificates indicated between them.

For certificate generation and rotation guidance, refer to TLS in Kubernetes.

Further Reading & References

Watch Video

Watch video content

Previous
Workload and Application Code Security
Next
Securing Controller Manager Scheduler