Kubernetes Security Concepts: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 34: Line 34:
=Role Based Access Control (RBAC)=
=Role Based Access Control (RBAC)=


In Kubernetes, granting a role to an application-specific service account is a best practice to ensure that the application is operated in a specified scope.
{{Internal|Kubernetes Role Based Access Control Concepts|Kubernetes Role Based Access Control (RBAC) Concepts}}
 
<font color=darkgray>TODO:
* https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions
* https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/</font>
 
==Cluster Role==
 
==Cluster Role Binding==
<syntaxhighlight lang='yaml'>
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:masters
</syntaxhighlight>
 
==RBAC Operations==
 
* [[Kubernetes_RBAC_Operations#Assigning_a_Cluster_Role_to_a_Service_Account|Assigning a Cluster Role to a Service Account]]

Revision as of 18:48, 22 June 2020

Internal

Transport Security

Service Account

A service account provides an identity for processes that run in a pod. Pods that want to interact with the API Server will authenticate with a particular service account. By default, in absence of specific configuration, the pods will authenticate as the default service account in the namespace they are running in. Service accounts are rendered in logs using the following pattern: "system:serviceaccount:namespace:account-name (e.g. "system:serviceaccount:blue:default).

TODO:

Default Service Account

Each namespace comes with a default service account: 

apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
  namespace: default
secrets:
- name: default-token-dddkl

Service Account Operations

Role Based Access Control (RBAC)

Kubernetes Role Based Access Control (RBAC) Concepts
Retrieved from "https://kb.novaordis.com/index.php?title=Kubernetes_Security_Concepts&oldid=67528"