Understand Kubernetes API Access Control Mechanisms

Lab Steps

Connecting to the Kubernetes Cluster
Understanding Kubernetes Authentication
Understanding Kubernetes Authorization
Understanding Kubernetes Admission Control

The hands-on lab is part of this learning path

Ready for the real environment experience?

Time Limit1h


Kubernetes provides three access control layers to secure the Kubernetes API server:

  1. Authentication: Requests sent to the API server are authenticated to prove the identity of the requester, be it a normal user or a service account, and are rejected otherwise.
  2. Authorization: The action specified in the request must be in the list of actions the authenticated user is allowed to perform or it is rejected.
  3. Admission Control: Authorized requests must then pass through all of the admission controllers configured in the cluster (excluding read-only requests) before any action is performed.

You will gain a basic understanding of each layer and how each can impact requests sent to the cluster.

This lab is valuable to anyone working with Kubernetes, but the content has been prepared considering topics described in the Certified Kubernetes Application Developer (CKAD) Exam Curriculum. Completion of the lab will help you get hands-on experience, which is essential for passing the CKAD exam.

Learning Objectives

  • Understand authentication, authorization and admission control in the Kubernetes API

Intended Audience

  • Kubernetes admins and operators
  • Application developers and DevOps engineers deploying applications in containers and using or considering Kubernetes
  • This lab is recommended for Certified Kubernetes Application Developer (CKAD) examinees


  • Knowledge of Kubernetes ServiceAccounts and Secrets
  • Experience with kubectl

You can complete the Mastering Kubernetes Pod Configuration: Service Accounts lab and the Mastering Kubernetes Pod Configuration: Config Maps and Secrets lab to satisfy the prerequisites.


September 6th, 2022 - Updated to run Kubernetes 1.24

Environment before
Environment after
About the Author
Learning paths49

Logan has been involved in software development and research since 2007 and has been in the cloud since 2012. He is an AWS Certified DevOps Engineer - Professional, AWS Certified Solutions Architect - Professional, Microsoft Certified Azure Solutions Architect Expert, MCSE: Cloud Platform and Infrastructure, Google Cloud Certified Associate Cloud Engineer, Certified Kubernetes Security Specialist (CKS), Certified Kubernetes Administrator (CKA), Certified Kubernetes Application Developer (CKAD), and Certified OpenStack Administrator (COA). He earned his Ph.D. studying design automation and enjoys all things tech.