Role based access control (RBAC) is a native feature in Kubernetes integrated directly into the Kubernetes API. Cluster administrators use Kubernetes RBAC to enable fine grained management of user privileges within a Kubernetes cluster. With Kubernetes RBAC, administrators can regulate access to the Kubernetes API and Kubernetes cluster resources based on the roles assigned to users, groups, and service accounts.
Kubernetes RBAC Defined
Kubernetes role-based access control (RBAC) is a method for regulating access to computer or network resources based on the roles of individual users within an organization. In Kubernetes, RBAC enforces granular permission policies, determining who can access which resources and what operations they can perform. It maps users to roles, and roles to sets of permissions.
Kubernetes RBAC is critical for maintaining the security and integrity of a cluster. By implementing RBAC, organizations ensure that only authorized individuals have access to sensitive operations, reducing the risk of accidental or malicious alterations to the cluster’s state. It also helps comply with the principle of least privilege, providing only the access necessary for users to perform their jobs.
Why Is RBAC Important for Kubernetes Security?
RBAC plays a central role in Kubernetes security, as it provides a framework for managing user permissions within a Kubernetes cluster. Effectively implementing Kubernetes RBAC rules prevents unauthorized users from performing sensitive operations that could compromise the cluster's security, such as deploying applications, accessing data, or modifying the cluster level configuration.
Cluster admins can build access control rules by defining specific default roles with associated permissions and binding these roles to users or service accounts. RBAC policies can be defined according to the needs and responsibilities of different users and applications within the Kubernetes cluster.
Let’s look at several areas that highlight the importance of Kubernetes RBAC for securely managing permissions.
Enforcement of the Principle of Least Privilege
Kubernetes RBAC enforces the principle of least privilege to ensure that human users, services, applications, and connected devices have the minimum permissions needed to perform their duties. Enforcing the principle of least privilege minimizes potential damage from accidental or malicious actions, limiting cluster exposure.
Enhanced Operational Efficiency
By automating access control decisions based on predefined roles, Kubernetes RBAC reduces the administrative overhead associated with managing user permissions.
Fine Grained Access Control
Kubernetes RBAC allows for detailed and specific access control policies. Administrators can define fine-grained RBAC roles with permissions tailored to different users' or services' needs and manage complex permission structures across diverse teams and applications.
Improved Security Posture
By restricting access to cluster resources and reducing the attack surface, Kubernetes RBAC prevents unauthorized access and privilege escalation cluster wide.
Scalability and Flexibility
As Kubernetes environments grow, RBAC scales to manage access across an increasing number of users, applications, and resources. It provides the flexibility needed to adapt permissions quickly as RBAC roles change within an organization securely.
Separation of Duties
Within teams, Kubernetes RBAC supports the separation of duties and limits access only to the resources necessary for specific roles. This separation helps prevent conflicts of interest and reduces the risk of unauthorized changes or data breaches.
Support for Audits and Compliance
Kubernetes RBAC facilitates compliance with internal and external security policies and regulations by strictly managing who has access to what. It also simplifies auditing by monitoring and recording access. This makes it easier to verify that security policies are correctly enforced and provide related reports for audits.
RBAC Roles and Permissions in Kubernetes
RBAC roles and permissions in Kubernetes can be divided into two types — Role and ClusterRole.
Role
In Kubernetes RBAC, Role defines permissions and grants access to resources such as pods, services, Secrets, and deployments. Kubernetes RBAC policies can be applied at the namespace level using Roles to allow a cluster admin to assign permissions (e.g., reading, writing, creating, or deleting) specific to resources within a namespace. Broad categories of roles include:
- Administrative roles manage resources and permissions within a namespace or across the entire cluster, such as creating or deleting any resource within the cluster.
- Auditing roles view but cannot alter resources and configurations within the cluster, such as access and list resources across namespaces or the entire cluster.
- Developer roles create and manage applications and services within their designated areas without affecting the rest of the cluster (typically limited to a specific namespace).
- Operational roles view and manage the operation of existing resources, such as deploying new versions of applications or scaling services (without full administrative permissions).
ClusterRole
Unlike Roles, which are limited to a specific namespace, ClusterRoles allow cluster admins to grant permissions across the entire cluster. ClusterRoles are used to assign permissions that are applicable cluster wide, such as permissions for activities that span multiple namespaces or for resources that are not namespace specific (e.g., nodes).
Kubernetes RBAC Role Bindings
Both Roles and ClusterRoles can be bound to users, groups, or service accounts using RoleBindings and ClusterRoleBindings.
RoleBinding
RoleBindings are used to grant the permissions defined in a Role to a user, group, or service account within a specific namespace.
ClusterRoleBinding
ClusterRoleBindings grant the permissions defined in a ClusterRole across the entire cluster. This means that if a ClusterRole is bound to a user, group, or service account using a ClusterRoleBinding, they will have the permissions defined in that ClusterRole in all namespaces. ClusterRoleBinding allows admins to grant cluster wide (non namespaced) permissions to specific users.
roleRef
In Kubernetes RBAC, the roleRef field is a critical component of RoleBinding and ClusterRoleBinding objects. It specifies the role that the binding grants permissions to the subjects (e.g., users, groups, or service accounts) listed in the binding. This defines what actions the subjects can perform and on which resources, based on the permissions defined in the referred role.
Types of Access and Permissions in Kubernetes RBAC
With Kubernetes RBAC, permissions are defined by combining verbs. Permissions in Kubernetes RBAC are granular, and administrators can combine these verbs with resources and resource names to define specific types based on their intended use and scope. The following examples of verbs used to define permissions securely in Kubernetes RBAC are based on the actions they allow:
- Create a new instance of a resource
- Delete deletion of a resource.
- DeleteCollection of resources
- Get a specific instance of a resource.
- List all instances of a resource (i.e., read only access).
- Patch a resource.
- Update an existing instance of a resource.
- Watch for changes to a resource in real time.
How Kubernetes RBAC Works
Defining Resources
In Kubernetes, RBAC resources are defined using the apiVersion (e.g., v1 kind). Within the apiVersion, RBAC resources that can be defined to manage access control in a Kubernetes cluster are Role, ClusterRole, RoleBindings, and ClusterRoleBindings.
Configuring Policies
In Kubernetes, RBAC policies are configured using roles and role bindings. When defining an RBAC Role or ClusterRole, the Role metadata and ClusterRole metadata fields (e.g., namespace: default, name: pod reader) are crucial as they provide information about the role, including its name, namespace, labels, and annotations.
Custom roles can be created to tailor access permissions to specific needs beyond the default roles provided by Kubernetes. These roles can be created using Role or ClusterRole objects and specifying the verbs allowed on resources. Custom roles allow administrators to define specific permissions tailored to the needs of their users or applications.
Cross-Namespace Access Control
Cross-namespace access control can be achieved with ClusterRole and ClusterRoleBinding, granting permissions across multiple namespaces. This is often used for service accounts or users that need to access resources in different namespaces.
Designing Complex Access Policies
Complex access policies can be designed by combining multiple Role or ClusterRole objects with RoleBinding or ClusterRoleBinding objects. These RBAC policies can include various resources and actions to provide fine grained access control that aligns with broader security requirements.
Integration with Corporate Security Policies
Kubernetes RBAC can be integrated with corporate security policies to align access controls within the Kubernetes environment with broader organizational security standards. This includes mapping corporate roles and permissions to Kubernetes RBAC roles and bindings to enforce consistent security postures across all platforms. This integration requires identifying the minimum necessary privileges for each role within the organization and translating these into Kubernetes RBAC policies that govern access to resources.
Leveraging External Identity Providers
Kubernetes RBAC can be extended by integrating with external identity providers to manage Kubernetes cluster access more efficiently and securely. This approach allows for the centralization of user authentication, enabling unified access control policies across different platforms and services.
Leveraging external identity providers also simplifies the process of onboarding and offboarding users, as permissions can be managed from a single location.
Multitenancy
Multi-tenancy in Kubernetes can be managed by leveraging RBAC to isolate tenants and control their access to resources. This is done by assigning tenants different namespaces and creating Roles and Role Bindings within those namespaces.
Using Service Accounts
In Kubernetes, a ServiceAccount is a special kind of account that can be automatically created by Kubernetes or manually created by a user for processes running in pods. It provides an identity for carrying out actions against the Kubernetes API version. The ServiceAccount name uniquely identifies it within a namespace. An example of a ServiceAccount name in a YAML file is my-service-account.
Synchronization with External User Groups
External user groups can be synchronized with Kubernetes RBAC to streamline and secure access management within Kubernetes environments. By integrating external user directories with Kubernetes, administrators can automate the process of mapping external group memberships to roles within Kubernetes RBAC. This synchronization ensures that users' access rights in Kubernetes are consistent with their organizational roles.
The Role of RBAC in Kubernetes Authorization
While Kubernetes RBAC does not include provisioning and authenticating user accounts, it does provide authorization capabilities that govern what users can do in a Kubernetes cluster. In Kubernetes, the authorization mode RBAC is a method used to regulate access to resources within the cluster. It allows administrators to dynamically configure policies through the Kubernetes API to control users’ access to resources and what actions can be performed.
Permissions are granted to identities that are managed with Roles and ClusterRoles, which include associated access policies. A Kubernetes RBAC policy consists of the following.
- Roles and ClusterRoles
- RoleBindings and ClusterRoleBindings
- Subjects: Human users, groups, service accounts, or connected devices (things)
- APIgroups: A collection of related functionalities that group resources and operations
- Resources” Objects or entities within the groups to apply permissions to, such as namespaces, pods, services, or deployments
- Verbs or commands: Actions that can be performed on resources, such as get, list, delete, describe, or patch (e.g., kubectl get roles or kubectl auth can-i create pods)
Authorization Flow with Kubernetes RBAC
When a Kubernetes API server (kube apiserver) receives a request from a person, serviceaccount, or connected device (thing), the request follows this flow.
- Authentication: The access management tool determines if the requestor has the correct credentials to access the API server.
- Authorization: The requestor is assessed to determine what privileges they have or what they are allowed to do across the entire cluster.
- Admission control: Based on established parameters and policies, a determination is made as to whether the presented workload can be scheduled in the Kubernetes cluster.
Authorization Flow with Cloud IAM and Kubernetes RBAC
When used in conjunction with a Cloud IAM, Kubernetes RBAC comes into play at the end of the process. Kubernetes RBAC focuses on controlling interactions specifically within Kubernetes resources according to RBAC roles. The flow for this is as follows.
- The requestor presents a Cloud IAM token and authenticates.
- The requestor declares the desired action (e.g., kubectl get pods all namespaces), and the request is presented to the Kubernetes API server.
- The Kubernetes API server passes the Cloud IAM token to the authenticator server to determine whether the Cloud IAM token is valid.
- The IAM Identity uses configmaps to translate the IAM Identity into a Kubernetes subject.
- The Kubernetes subject is then passed back to the API server and combined with the original request (e.g., kubectl get pods all namespaces).
- Kubernetes RBAC responds to whether or not the user account can take the desired action.
Common RBAC Permissions Risks and Vulnerabilities
Duplicate Roles
Many roles can grant similar privileges in different ways. This creates challenges when a privilege needs to be revoked, as it can be difficult to ascertain which roles are applicable.
Failure to Review and Adjust Default Settings
RBAC in Kubernetes comes with default settings that result in excessive permissions. For example, the bindings in the system:unauthenticated group allows an anonymous user to contact the API server through the network. Also, the automountServiceAccountToken setting is set to mount service account tokens by default.
Overpermissioning with Workload Creation
It is possible to over permission via the permission to create workloads in a namespace, which carries with it permissions to Secrets, ConfigMaps, PersistentVolumes (see below), or even API access levels for any service account in a namespace. This can further lead to privilege escalation.
Persistent Volumes
Granting unrestricted access to create a persistent volume in Kubernetes allows for the creation of hostPath volumes that give the pod access to the host filesystem on its node. This means it could then escalate privileges across that node.
Proxy Subresource
If rights are granted to the proxy sub-resource of node objects, every node they have rights to opens an opportunity for command execution. These rights provide direct access to the Kubelet API, bypassing audit logging and admission controls.
Role Aggregation
Role aggregation can lead to several issues, including role explosion and overly permissive access. Role explosion results from a large number of roles becoming cumbersome and difficult to manage. Overly permissive access happens when roles accumulate more privileges than necessary. Role aggregation also complicates the audit process and the ability to clearly understand each role's access rights.
Unused and Missing Roles
Roles with missing subjects make it more difficult to keep track of which users should have access to what. Role bindings that reference non-existent roles can lead to overpermissioning if the same role name is used in the future but attached to a different set of permissions.
Kubernetes RBAC Best Practices and Recommendations
Assign Permissions at the Namespace Level
Assign permissions at the namespace level where possible, using RoleBindings as opposed to ClusterRoleBindings to give users rights only within a specific namespace.
Automate RBAC Policy Management and Deployment
Automate Kubernetes RBAC policy management and deployment across clusters. Automation tools and scripts can streamline the creation, updating, and removal of RBAC roles, role bindings, and cluster role bindings, ensuring that access controls are dynamically adjusted to meet evolving operational needs and security standards.
Embed RBAC Policies into DevSecOps Practices
Incorporate RBAC into the DevSecOps practices to bolster security throughout the software development life cycle. This should include defining clear roles and responsibilities within the continuous integration/continuous deployment (CI/CD) pipeline to ensure that only authorized personnel have access to specific resources. It is also important to regularly review and update access permissions to adapt to evolving project needs and personnel changes.
Follow the Principle Least Privilege Principle
Enforce the principle of least privilege, giving users the minimum permissions necessary to perform their specific roles or tasks. Start by carefully defining roles and permissions based on functions, ensuring that access is as restrictive as possible while still allowing for operational efficiency. Regularly review and adjust roles and role bindings based on changes in responsibilities or security policies. Use namespace specific roles to limit access within a Kubernetes cluster. Additionally, continuously monitor and audit role usage and permissions to identify and remediate noncompliance with the principle of least privilege.
Limit Use of Wildcard Permissions
Avoid providing wildcard permissions, especially to all resources, because this permission applies to existing object types in the cluster as well as all object types created in the future.
Minimize Distribution of Privileged Tokens
Limit the distribution of privileged tokens in Kubernetes by using short-lived tokens where possible, leveraging Kubernetes service accounts for automated tasks instead of distributing user tokens, and assigning the least privilege necessary for each account's duties. In addition, regularly audit token usage and permissions, revoking and rotating tokens that are no longer needed or that pose a security risk.
Review and Prune Roles and Bindings
Establish a routine schedule for reviews to identify unused or overly permissive roles and bindings. Document changes and maintain version control of RBAC policies aid in tracking modifications and enhancing accountability within the Kubernetes cluster.
Watch for These Verbs
- Escalate allows a user to escalate their privileges.
- Bind allows a user to create bindings to roles with additional rights that they do not already have.
- Impersonate allows users to impersonate other users in the cluster and gain their rights.
Kubernetes and RBAC FAQ