Kubernetes Security Concepts: Difference between revisions
Jump to navigation
Jump to search
| Line 43: | Line 43: | ||
==Cluster Role Binding== | ==Cluster Role Binding== | ||
== | ==RBAC Operations== | ||
* [[Kubernetes_RBAC_Operations#Assigning_a_Cluster_Role_to_a_Service_Account|Assigning a Cluster Role to a Service Account]] | |||
Revision as of 21:31, 11 September 2019
Internal
Transport Security
Service Account
A service account provides an identity for processes that run in a pod. Pods that want to interact with the API Server will authenticate with a particular service account. By default, in absence of specific configuration, the pods will authenticate as the default service account in the namespace they are running in.
TODO:
- https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
- https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/
Default Service Account
Each namespace comes with a default service account:
apiVersion: v1 kind: ServiceAccount metadata: name: default namespace: default secrets: - name: default-token-dddkl
Service Account Operations
Role Based Access Control (RBAC)
In Kubernetes, granting a role to an application-specific service account is a best practice to ensure that the application is operated in a specified scope.
TODO:
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions
- https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/