Kubernetes RBAC (Role-Based Access Control)
Role-Based Access Control (RBAC) is a critical Kubernetes feature that regulates access to cluster resources based on user roles. By defining who can do what, RBAC ensures a secure and controlled Kubernetes environment, aligning with the principle of least privilege.
In this article, we’ll explore the key concepts, components, and examples to understand how to implement RBAC in Kubernetes.
Key Concepts of RBAC
1. Subject
A subject represents the entity requesting access to the Kubernetes API. It can be:
- Users: Human or service accounts interacting with the cluster.
- Groups: Logical collections of users.
- Service Accounts: Accounts specifically for Pods to interact with the API server.
2. Role and ClusterRole
- Role: Defines permissions within a specific namespace.
- ClusterRole: Similar to a Role but applicable cluster-wide.
3. RoleBinding and ClusterRoleBinding
- RoleBinding: Associates a Role with a Subject within a namespace.
- ClusterRoleBinding: Associates a ClusterRole with a Subject at the cluster level.
RBAC API Group
RBAC resources belong to the rbac.authorization.k8s.io
API group. These resources include:
Role
ClusterRole
RoleBinding
ClusterRoleBinding
RBAC Workflow
- Create a Role or ClusterRole: Define the permissions for accessing resources.
- Create a RoleBinding or ClusterRoleBinding: Link the Role/ClusterRole to a Subject.
-
Verify Access: Use the
kubectl auth can-i
command to validate permissions.
Examples of RBAC
1. Create a Role
This Role allows a user to perform read-only actions (get, list, watch) on Pods in a namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
2. Create a RoleBinding
Bind the pod-reader
Role to a user named john
.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pod-reader-binding
namespace: default
subjects:
- kind: User
name: john
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
3. Create a ClusterRole
This ClusterRole grants permissions to read Secrets cluster-wide.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
4. Create a ClusterRoleBinding
Bind the secret-reader
ClusterRole to a service account in the kube-system
namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: secret-reader-binding
subjects:
- kind: ServiceAccount
name: default
namespace: kube-system
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
Best Practices for Using RBAC
1. Principle of Least Privilege
- Assign the minimum required permissions to users and service accounts.
2. Use Namespaces for Isolation
- Scope Roles and RoleBindings to namespaces for better control.
3. Regularly Audit RBAC Policies
- Use tools like kubectl describe and kubectl auth can-i to verify RBAC configurations.
4. Prefer Role and RoleBinding Over ClusterRole and ClusterRoleBinding
- Limit permissions to specific namespaces unless cluster-wide access is necessary.
5. Restrict Default Service Accounts
- Disable the default service account in namespaces where it isn’t needed.
Verifying RBAC Configurations
Use the kubectl auth can-i
command to verify a user’s permissions.
Example:
kubectl auth can-i get pods --namespace=default
Output:
-
yes
: The user has the required permission. -
no
: The user lacks the required permission.
Common Use Cases
1. Read-Only Access to Resources
Grant a developer read-only access to Pods and Deployments.
2. Administrator Access
Provide cluster administrators full access to manage all resources.
3. Restricting Sensitive Resources
Limit access to Secrets and ConfigMaps to specific service accounts or roles.
RBAC Troubleshooting
- Permissions Denied: Check the Role, RoleBinding, or ClusterRoleBinding configuration.
-
Resource Misalignment: Ensure the
apiGroups
,resources
, andverbs
in the Role match the intended permissions.
Conclusion
RBAC is a foundational security feature in Kubernetes, enabling precise control over who can access what resources. By carefully defining Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings, you can ensure a secure and well-governed Kubernetes environment.