The next step after the successful authentication is to check what operations are allowed for the authenticated user. Kubernetes supports four types of authorization policy schemes as of today. To utilize the specific authorization schema, use the --authorization-mode switch when starting api-server. The syntax is:
$ kube-apiserver --authorization-mode <mode>
The <mode> parameter contains an ordered list of authorization plugins that Kubernetes is supposed to authenticate users with. When multiple authentication plugins are enabled, the first one that will successfully authenticate the request will make Kubernetes skip executing all remaining plugins.
The default authorization mode is AlwaysAllow, which allows all requests.
The following authorization schemes are supported:
- Attribute-based control
- Role-based control
- Webhook
- AlwaysDeny
- AlwaysAllow