When a request comes to an API server, it firstly establishes a TLS connection by validating the clients' certificate with the certificate authority (CA) in the API server. The CA in the API server is usually at /etc/kubernetes/, and the clients' certificate is usually at $HOME/.kube/config. After the handshake, it goes to the authentication stage. In Kubernetes, authentication modules are chain-based. We can use more than one authentication module. When the request comes, Kubernetes will try all the authenticators one by one until it succeeds. If the request fails on all authentication modules, it will be rejected as HTTP 401 unauthorized. Otherwise, one of the authenticators verifies the user's identity, and the requests are authenticated. Then, the Kubernetes authorization modules come into play. They verify if the user has the permission to do the action that they requested using a set of policies. Authorization modules are checked one by one. Just like authentication modules, if all modules are failed, the request will be denied. If the user is eligible to make the request, the request will pass through the authentication and authorization modules and go into admission control modules. The request will be checked by various admission controllers one by one. If any admission controller fails the request, the request will be rejected immediately.

The following diagram demonstrates this sequence: