1.20 Kubernetes Identity Definition
Kubernetes Identity Definition explains how Kubernetes manages user and service identities for secure access control in containerized environments.
Kubernetes Identity Definition is the precise characterization of how the identity of a request's originator is established within a cluster, defined as the outcome of an authentication step that Kubernetes itself does not perform directly, instead delegating verification to external mechanisms while representing the result as a set of attributes, such as a username and group memberships, that subsequent authorization checks then act upon.
Identity as an Authentication Outcome, Not a Stored Record
No Built-In User Database
Kubernetes is defined specifically as not maintaining its own user account objects; unlike Pods or Services, there is no persistent "User" resource stored in the cluster, meaning identity is established fresh on each request through whichever authentication mechanism is configured, rather than looked up from an internal record.
Represented as Attributes, Not an Object
The result of authentication is defined as a set of attributes attached to the request, namely a username, a set of group memberships, and any additional extra fields, which authorization logic subsequently evaluates, rather than as a durable object with its own lifecycle.
Service Accounts as a Defined Exception
An Identity Kubernetes Does Manage
Service accounts are defined as the one identity type Kubernetes does manage directly as a persistent, namespaced object, created specifically to give workloads running inside the cluster a way to authenticate to the API server without relying on external identity infrastructure.
Tokens as the Authentication Artifact
A service account's identity is presented to the API server through a token, automatically provisioned and mounted into Pods that reference it, defining the mechanism by which an in-cluster workload's requests are attributed to a specific service account identity.
Human Users as an Externally Defined Concept
Delegated to External Mechanisms
Human user identity is defined as entirely external to Kubernetes: mechanisms such as client certificates or integration with an external identity provider establish who a human user is, with Kubernetes only ever consuming the resulting identity attributes rather than defining or storing them itself.
Groups as an Aggregating Concept
Not Individually Defined Objects
Groups are defined as labels attached to an established identity rather than as separately created objects; a group's meaning is entirely a function of how authorization rules reference it, since Kubernetes itself does not maintain a registry of valid group names.
Why This Definition Matters
Authorization Depends Entirely on Identity Attributes
Because Role-Based Access Control decisions are made purely against the username and group attributes produced by authentication, the precision of the identity definition directly determines the precision with which access can be granted or restricted throughout the rest of the cluster.