Authorization: RBAC, ABAC, and Webhook Modes

A developer creates a Pod that mounts every Secret in the namespace as a volume. Their ServiceAccount has create pods but not get secrets. The Pod starts anyway, and every secret value is now readable inside the container. Authorization in Kubernetes is not intuitive, and misunderstanding how RBAC rules compose is how clusters get quietly over-permissioned.

The API server evaluates an ordered chain of authorization modules. A single "allow" from any module grants access. If every module returns "no opinion," the request is denied. This lesson covers the four authorization modes (Node, RBAC, ABAC, Webhook), how the chain works, RBAC's four API objects with real CNCF project examples from Prometheus Operator and cert-manager, and the privilege escalation traps that catch teams in production.