Chapter 10: Security and Role-Based Access Control (RBAC) in Kubernetes

Leave a reply

Introduction to Kubernetes Security

Security in Kubernetes is critical for protecting your applications, data, and infrastructure. Kubernetes provides a range of tools and mechanisms to ensure a secure and robust environment, including Role-Based Access Control (RBAC), Network Policies, Pod Security Standards, and more.

Why is Security Important?

  1. Prevent Unauthorized Access: Ensure that only authorized users and services access resources.
  2. Protect Sensitive Data: Secure secrets and configurations.
  3. Minimize Attack Surface: Limit the scope of potential vulnerabilities.
  4. Compliance: Meet industry standards and regulations.

Key Security Concepts in Kubernetes

  1. Authentication: Verifying the identity of users or services.
  2. Authorization: Determining access permissions for authenticated users or services.
  3. RBAC: Fine-grained access control using roles and bindings.
  4. Secrets Management: Secure storage of sensitive data.
  5. Pod Security Standards (PSS): Guidelines for configuring Pods securely.

Step-by-Step Implementation

Step 1: Understanding Authentication

Kubernetes Authentication Mechanisms

  1. Client Certificates: Used by kubelets and users.
  2. Bearer Tokens: Service account tokens.
  3. External Authentication: OAuth2, LDAP, or custom webhook authenticators.

Verify current authentication methods:

kubectl config view

Authenticate using a token:

kubectl --token=<your-token> get pods

Step 2: Setting Up RBAC

RBAC allows you to define roles with specific permissions and bind them to users or service accounts.

RBAC Components

  1. Role: Defines permissions within a namespace.
  2. ClusterRole: Defines permissions cluster-wide.
  3. RoleBinding: Assigns a Role to a user or group in a namespace.
  4. ClusterRoleBinding: Assigns a ClusterRole to a user or group cluster-wide.

Example 1: Creating a Role

Create a Role YAML (role-example.yaml):

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

Apply the Role:

kubectl apply -f role-example.yaml

Example 2: Creating a RoleBinding

Create a RoleBinding YAML (rolebinding-example.yaml):

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: jane
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Apply the RoleBinding:

kubectl apply -f rolebinding-example.yaml

Verify Access

Switch to the user jane and test:

kubectl auth can-i list pods --namespace=default

Example 3: Using a ClusterRole

ClusterRoles are useful for granting cluster-wide permissions.

Create a ClusterRole YAML (clusterrole-example.yaml):

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-admin-reader
rules:
- apiGroups: [""]
  resources: ["*"]
  verbs: ["get", "list"]

Apply the ClusterRole:

kubectl apply -f clusterrole-example.yaml

Create a ClusterRoleBinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-all-cluster
subjects:
- kind: User
  name: admin
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: cluster-admin-reader
  apiGroup: rbac.authorization.k8s.io

Apply the ClusterRoleBinding:

kubectl apply -f clusterrolebinding-example.yaml

Step 3: Securing Secrets

Kubernetes Secrets store sensitive data such as passwords and tokens securely.

Create a Secret

kubectl create secret generic db-password --from-literal=password=supersecret

View the Secret (base64-encoded):

kubectl get secret db-password -o yaml

Decode the Secret:

echo "c3VwZXJzZWNyZXQ=" | base64 --decode

Use the Secret in a Pod:

apiVersion: v1
kind: Pod
metadata:
  name: db-app
spec:
  containers:
  - name: app
    image: nginx
    env:
    - name: DB_PASSWORD
      valueFrom:
        secretKeyRef:
          name: db-password
          key: password

Step 4: Implementing Pod Security Standards (PSS)

Enforcing Pod Security

Use Kubernetes admission controllers or policies to enforce security.

Example Policy: Deny Privileged Containers

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted
spec:
  privileged: false
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: MustRunAs
  fsGroup:
    rule: MustRunAs

Apply the policy:

kubectl apply -f psp-restricted.yaml

Monitoring and Troubleshooting Security

Audit Logs: Analyze cluster activity.

kubectl logs -n kube-system <audit-log-pod>

RBAC Diagnostics:

kubectl auth can-i --list

Check Unauthorized Access:

kubectl describe rolebinding <rolebinding-name>

Best Practices

  1. Follow Least Privilege Principle: Grant minimal permissions.
  2. Rotate Secrets Regularly: Avoid long-lived credentials.
  3. Enable Network Policies: Restrict Pod communication.
  4. Monitor User Actions: Use tools like Falco for real-time alerts.
  5. Review RBAC Rules: Periodically audit permissions.

Production Example: Secure a Multi-Tier Application

Scenario

Deploy a secure multi-tier web application with RBAC and secrets.

Deployment Example

  1. Frontend: Exposes a public endpoint.
  2. Backend: Access restricted via RBAC.

Apply an RBAC Role for the backend:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: backend
  name: backend-access
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list"]

Create the RoleBinding for the backend:

subjects:
- kind: ServiceAccount
  name: backend-sa
roleRef:
  kind: Role
  name: backend-access
  apiGroup: rbac.authorization.k8s.io

Conclusion

In this chapter, you learned:

  1. How to use RBAC to secure cluster resources.
  2. How to manage sensitive data with Secrets.
  3. How to enforce Pod Security Standards.

Leave a Reply