Securing RBAC Permissions
Role-Based Access Control (RBAC) defines how users and workloads interact with Kubernetes resources. If misconfigured, attackers can escalate privileges, access sensitive data, and take control of the cluster. Proper RBAC security enforces the principle of least privilege and minimizes attack vectors.
1. Enforce the Principle of Least Privilege
Required knowledge for the CKS certification.
RBAC should grant only the necessary permissions required for a user or workload.
Secure Role Example
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: production
name: read-only-role
rules:
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list"]
Why It Matters
- Prevents users from modifying critical resources.
- Reduces potential damage from compromised credentials.
2. Avoid Wildcard Permissions
Required knowledge for the CKS certification.
Using '*' for API groups, resources, or verbs grants unrestricted access, leading to security risks.
Insecure Role (AVOID)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: insecure-role
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
Secure Alternative (Restrictive Scope)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: limited-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
Why It Matters
- Prevents users from gaining excessive privileges.
- Limits scope of permissions to only required actions.
3. Restrict Cluster-Wide Privileges
Required knowledge for the CKS certification.
Cluster-wide roles (ClusterRole) should be limited to essential users and services.
Secure ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-only-binding
subjects:
- kind: User
name: readonly-user
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: read-only-role
apiGroup: rbac.authorization.k8s.io
Why It Matters
- Prevents unnecessary global access.
- Ensures users operate within appropriate namespaces.
4. Use RBAC Audit Logs to Detect Misuse
Enable audit logs to monitor RBAC activity and detect unauthorized access.
Enable API Server Auditing
Edit the Kubernetes API server configuration:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
users: ["system:anonymous"]
verbs: ["get", "list"]
resources: ["pods"]
Why It Matters
- Detects unauthorized access attempts.
- Provides visibility into RBAC changes.
5. Use Service Accounts for Automated Workloads
Required knowledge for the CKS certification.
Workloads should use dedicated service accounts with restricted permissions.
Secure Service Account Usage
apiVersion: v1
kind: ServiceAccount
metadata:
name: limited-sa
namespace: default
Why It Matters
- Prevents workloads from running as
defaultservice account. - Minimizes risk if a compromised pod attempts privilege escalation.
Conclusion
RBAC misconfigurations open doors for attackers to escalate privileges and compromise Kubernetes clusters. Following best practices—principle of least privilege, avoiding wildcards, restricting cluster-wide privileges, auditing access, and using service accounts—ensures a secure RBAC model.