✦ For everyone, free.

Practical knowledge for real and everyday life

Home

1.20 Kubernetes Identity Definition

Kubernetes Identity Definition explains how Kubernetes manages user and service identities for secure access control in containerized environments.

Kubernetes Identity Definition is the precise characterization of how the identity of a request's originator is established within a cluster, defined as the outcome of an authentication step that Kubernetes itself does not perform directly, instead delegating verification to external mechanisms while representing the result as a set of attributes, such as a username and group memberships, that subsequent authorization checks then act upon.


Identity as an Authentication Outcome, Not a Stored Record

No Built-In User Database

Kubernetes is defined specifically as not maintaining its own user account objects; unlike Pods or Services, there is no persistent "User" resource stored in the cluster, meaning identity is established fresh on each request through whichever authentication mechanism is configured, rather than looked up from an internal record.

Represented as Attributes, Not an Object

The result of authentication is defined as a set of attributes attached to the request, namely a username, a set of group memberships, and any additional extra fields, which authorization logic subsequently evaluates, rather than as a durable object with its own lifecycle.

identity = ( username , groups )

Service Accounts as a Defined Exception

An Identity Kubernetes Does Manage

Service accounts are defined as the one identity type Kubernetes does manage directly as a persistent, namespaced object, created specifically to give workloads running inside the cluster a way to authenticate to the API server without relying on external identity infrastructure.

Tokens as the Authentication Artifact

A service account's identity is presented to the API server through a token, automatically provisioned and mounted into Pods that reference it, defining the mechanism by which an in-cluster workload's requests are attributed to a specific service account identity.


Human Users as an Externally Defined Concept

Delegated to External Mechanisms

Human user identity is defined as entirely external to Kubernetes: mechanisms such as client certificates or integration with an external identity provider establish who a human user is, with Kubernetes only ever consuming the resulting identity attributes rather than defining or storing them itself.


Groups as an Aggregating Concept

Not Individually Defined Objects

Groups are defined as labels attached to an established identity rather than as separately created objects; a group's meaning is entirely a function of how authorization rules reference it, since Kubernetes itself does not maintain a registry of valid group names.


Why This Definition Matters

Authorization Depends Entirely on Identity Attributes

Because Role-Based Access Control decisions are made purely against the username and group attributes produced by authentication, the precision of the identity definition directly determines the precision with which access can be granted or restricted throughout the rest of the cluster.


Identity Establishment Diagram

Request Authenticate username/groups