[rtempaccount1]

I'd agree that k8s has a lot of functionality built-in, another important thing to realise is what k8s doesn't do.

In addition to the well-known integration points (Container Runtime/Network/Storage Interfaces), there's things like the lack of a good built-in user authentication mechanism with Kubernetes, which means you pretty much always need some external authentication service for your clusters.

That's not too bad if your on one of the big managed providers (GKE/AKS/EKS) but can get complex for people who want to deploy on-prem.

[snuxoll]

> That's not too bad if your on one of the big managed providers (GKE/AKS/EKS) but can get complex for people who want to deploy on-prem.

Go spin up Keycloak, join it to your user-directory of choice (or not and just use the internal directory), configure it as your authentication provider, done.

[raesene9]

Right so in addition to the complexity of running k8s (which is the general point of the post) you now have to learn about OAuth servers and LDAP integration.

In many corporates you also now have the challenges of cross-team/department work, for the k8s team to work with the AD team to get it setup.

And still that won't get you away from the problem that without a first class user / group object in k8s people often end up running into problems with JML processes over time and mismatch between AuthN and AuthZ...

[threeseed]

Or use Dex: https://github.com/dexidp/dex

Which has the advantage of not needing any external databases.

[snuxoll]

That works too depending on your requirements. Either way, authentication is not a hard problem to solve.

[kissgyorgy]

LOL. You clearly not worked with SSO or anything a bit more complex. It's a pretty hard problem, there are even companies whose whole portfolio is around authentication only!