Kubernetes Security Concepts: Difference between revisions
Jump to navigation
Jump to search
Line 43: | Line 43: | ||
==Cluster Role Binding== | ==Cluster Role Binding== | ||
<syntaxhighlight lang='yaml'> | |||
apiVersion: rbac.authorization.k8s.io/v1 | |||
kind: ClusterRoleBinding | |||
metadata: | |||
annotations: | |||
rbac.authorization.kubernetes.io/autoupdate: "true" | |||
labels: | |||
kubernetes.io/bootstrapping: rbac-defaults | |||
name: cluster-admin | |||
roleRef: | |||
apiGroup: rbac.authorization.k8s.io | |||
kind: ClusterRole | |||
name: cluster-admin | |||
subjects: | |||
- apiGroup: rbac.authorization.k8s.io | |||
kind: Group | |||
name: system:masters | |||
</syntaxhighlight> | |||
==RBAC Operations== | ==RBAC Operations== | ||
* [[Kubernetes_RBAC_Operations#Assigning_a_Cluster_Role_to_a_Service_Account|Assigning a Cluster Role to a Service Account]] | * [[Kubernetes_RBAC_Operations#Assigning_a_Cluster_Role_to_a_Service_Account|Assigning a Cluster Role to a Service Account]] |
Revision as of 22:27, 11 September 2019
Internal
Transport Security
Service Account
A service account provides an identity for processes that run in a pod. Pods that want to interact with the API Server will authenticate with a particular service account. By default, in absence of specific configuration, the pods will authenticate as the default service account in the namespace they are running in. Service accounts are rendered in logs using the following pattern: "system:serviceaccount:namespace:account-name (e.g. "system:serviceaccount:blue:default).
TODO:
- https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
- https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/
Default Service Account
Each namespace comes with a default service account:
apiVersion: v1 kind: ServiceAccount metadata: name: default namespace: default secrets: - name: default-token-dddkl
Service Account Operations
Role Based Access Control (RBAC)
In Kubernetes, granting a role to an application-specific service account is a best practice to ensure that the application is operated in a specified scope.
TODO:
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions
- https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/
Cluster Role
Cluster Role Binding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:masters