Skip to main content

Module 4: Kubernetes Authentication & Authorization Slides

Slide walkthrough for Module 4 of Cloud Native Security Engineering: Securing Kubernetes, Workloads, APIs & Zero Trust Systems: Service accounts, OIDC,...

This slide page is the visual review companion for the full course module. Use it to recap the architecture, examples, exercises, production warnings, and takeaways after reading the lesson.

Slide Outline

  1. Kubernetes Authentication & Authorization - Service accounts, OIDC, RBAC deep dive, and identity in distributed systems
  2. Learning Objectives - 4 outcomes for this module
  3. Why This Module Matters - RBAC misconfigurations are the #1 cause of Kubernetes privilege escalation. Every production cluster needs well-designed
  4. Kubernetes Authentication Methods - Lesson section from the full module
  5. RBAC Design Principles - Lesson section from the full module
  6. Identity in Distributed Systems - Lesson section from the full module
  7. Real-World Use Cases - OIDC integration for developer kubectl access, Service account token audit and cleanup
  8. Common Mistakes to Avoid - 4 mistakes covered
  9. Hands-On Labs - 2 hands-on labs
  10. Key Takeaways - 5 points to remember

Learning Objectives

  • Configure Kubernetes authentication methods
  • Design least-privilege RBAC policies
  • Integrate OIDC for human authentication
  • Debug authentication and authorization failures

Why This Module Matters

RBAC misconfigurations are the #1 cause of Kubernetes privilege escalation. Every production cluster needs well-designed authentication and authorization — this module teaches you to build it right from the start.

Common Mistakes

  • Using cluster-admin for CI/CD service accounts
  • Not disabling auto-mounting of service account tokens
  • Granting list secrets permission without understanding the blast radius
  • Using X.509 certificates for human users (impossible to revoke without CA rotation)

Key Takeaways

  • Authentication and authorization are separate — never confuse them
  • Use OIDC for human users, service accounts for workloads
  • RBAC should be namespace-scoped and least-privilege by default
  • Audit permissions regularly with kubectl auth can-i
  • Kubernetes identity ends at the cluster boundary — SPIFFE extends it

Hands-On Labs

  1. Configure OIDC Authentication

    Integrate an OIDC provider for human user authentication.

    35 min - Intermediate

    • Deploy Dex as an OIDC provider
    • Configure the API server to trust Dex
    • Authenticate with kubectl using OIDC tokens
    • Verify identity with kubectl auth whoami

    View lab files on GitHub

  2. Debug Authorization Failures

    Troubleshoot RBAC denials systematically.

    25 min - Beginner

    • Create a restricted service account
    • Attempt unauthorized operations and observe errors
    • Use kubectl auth can-i to diagnose permissions
    • Fix RBAC bindings and verify access

    View lab files on GitHub

Read the full module | Back to course curriculum