Access to the Kubernetes API is managed via two different types of user account:
- Service accounts are managed by Kubernetes itself. These are used by cluster components (via secrets mounted into pods) to manage resources in their bound namespaces.
- Normal users are independent of the cluster.
Kubernetes users aren't API objects, though they're referenced as if they were. They're provided by an authentication module which interacts with an external source: a password file, a database or some form of directory or token service. Two types of resource are modelled in this way:
- Users represent individual users.
- Groups represent a set of related users.
Managed Kubernetes offerings are usually integrated with the host cloud platform.