Attribute Based Access Control (ABAC)
Attribute-based access control includes using policies defining users and groups with their access controls. The policy file contains json object per line. Please note that there is no enclosure object or map. Each line represents an policy object.
{ "kind": "Policy", "apiVersion": "abac.authorization.kubernetes.io/v1beta1", "spec": {"user": "user1", "namespace": "*", "resource": "pods", "apiGroup": "*"}}
{"kind": "Policy", "apiVersion": "abac.authorization.kubernetes.io/v1beta1", "spec": {"group": "dev-users", "namespace": "*","resource": "pods", "apiGroup": "*"}}To enable this authorization, we need to provide --authorization-policy-file=POLICY_FILE_PATH and --authorization-mode=ABAC flags on startup of kube-apiserver.
We can use service accounts as user also as shown below.
{"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"system:serviceaccount:kube-system:default","namespace":"*","resource":"*","apiGroup":"*"}}Every service account has a corresponding ABAC user that we can use. The format of user is as system:serviceaccount:<namespace>:<serviceaccountname>.
ABAC has this limitation of managing policy file when there are many users and access controls. Every time when we need to add a user or a policy, we need to edit the file and restart the kube-apiserver. Moreover, there has to be multiple entries for users having same access controls.