Teleport Blog - Practical Tips for Organizing Kubernetes RBAC - Apr 21, 2022
Practical Tips for Organizing Kubernetes RBAC
Kubernetes supports several authorization methods, but the best-known and one of the most versatile is RBAC. Role-based access control implements a mechanism for restricting and controlling user access to resources of a system by using roles attached to users.
Implementing role-based access rather than profile-based access allows you to share these roles with multiple users, distributing the permissions across the cluster, which solves the problem of everyone having the same degree of access in all namespaces.
In this article, you will learn more about RBAC and how best to implement for your Kubernetes projects.
What is RBAC?
Role-based access control (RBAC) is a model of granular access. In the Kubernetes context, it is a way to restrict access to Kubernetes resources according to roles assigned to the users within a cluster. You can use the Kubernetes API to dynamically configure cluster-wide RBAC authorization policies with the
rbac.authorization.k8s.io API group.
RBAC works by limiting access to cluster resources through four Kubernetes resources:
The basis of all RBAC access policies is a native object called a
Roles are a set of rules that define access to resources and can be applied to multiple users.
ClusterRoles are access rules for one or more resources; however, while the
Role object is limited to its own namespace, the
ClusterRole is applied to the entire cluster regardless of the namespace.
Roles need to be set in a particular namespace when you create them, while
ClusterRoles do not need a namespace because they are above this separation.
ClusterRoles are permission definitions. These definitions need to be applied to users through other “sister” objects called
Bindings allow you to configure access for both individual subjects and user groups, granting these entities permissions defined on
ClusterRoles. In addition, you can also guarantee access to a
The differences between the two are basically the same as for
RoleBinding can be applied to either a
Role or a
ClusterRole— although when done this way, it will only apply the
ClusterRole rules to the namespace to which that
RoleBinding belongs — while a
ClusterRoleBinding can only be applied to a
All bindings need a reference to an existing
RoleBindings can only reference
ClusterRoleBindings can reference any
ClusterRoles. This post will focus on securing the Kubernetes API. You’ll also want to make sure you have appropriate access controls when accessing the underlying Kubernetes nodes.
Use cases for RBAC
There are multiple ways you can make use of RBAC in your Kubernetes projects.
- Integration with existing enterprise solutions like SSO. The RBAC system manages access to resources through a centrally managed directory of roles, which enables users to authenticate their identities and gain access to resources within a pod, usually through a single sign-on (SSO) solution.
- Granular control over who has what access in your cluster. RBAC allows you to control which members of your organization can access your Kubernetes cluster and what level of access they have to different aspects of your project. This granular control ensures that team members only have access to the specific resources they need.
- Minimized security risks. Maintaining security when using Kubernetes can be problematic, which is one of the main reasons why some organizations don’t adopt the platform. RBAC restricts access to particular resources in a cluster, which helps prevent loopholes and minimizes security risks.
Using RBAC in Kubernetes with minikube
Most clusters come with RBAC enabled by default. You can also start a new kube-apiserver with the flag
-authorization-mode=RBAC if you’re using manual clusters. If you’re using Azure, you can enable RBAC on an AKS cluster directly from the portal.
To use RBAC in Kubernetes, you’ll first need to create a user. For that, you’ll use an X509 certificate. Why a certificate instead of JWT tokens? JWT tokens are for external services or users who are temporary, whereas certificate authentication is preferred for internal services. This certificate is signed by the cluster CA and allows the user to authenticate to the API using this validation; in other words, Kubernetes verifies that the request is authenticated with the certificate’s key. If yes, it is a trusted user since only the cluster can issue such a certificate.
Create a client certificate
In order to create a certificate, you will first have to create a key and a certificate signing request (CSR). To do this, you need to create a directory inside your pod to hold the certificates. Below we'll show you how to create a client certificate when using minikube.
mkdir cert && cd cert
The next step will be to create a key inside your directory using OpenSSL and CSR. Once you have the key and crt, you can create a user using the certificate.
openssl genrsa -out developer.key 2048 openssl req -new -key developer.key -out developer.csr -subj /CN=developer/O=devs
Move the .csr and .key to the minikube directory:
cd ~/.minikube ls
The final step involves generating the certificate, which will be valid for five hundred days (you have to renew it after that).
curl -CAkey ~/.minikube/ca.key -CAcreateserial -out developer.crt -days 500 https://`minikube ip`:8443/api/
Create a user
Kubernetes offers various ways to create users, including setting up a user input in kubeconfig and setting up a context entry, which you can do using the commands below:
kubectl config set-credentials developer -- client-certificate = developer.crt -- client-key = developer.key kubectl config set-context dev-context -- cluster = minikube -- user = developer
To determine whether the user was successfully added to kubeconfig, you can use the command
kubectl config view.
Create a role
The next step is to create a role object, we'll create a new yaml file called
role.yaml. This will define what resources can be accessed and what operations can be used.
# role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: pod-reader rules: - apiGroups: [""] # “” indicates the core API group resources: ["pods"] verbs: ["get", "watch", "list"] Resources: pod, deployment, namespace, service… Verbs: get, list, watch, create, edit, exec.
Create a RoleBinding
You need to match the developer user with the previously created role named
pod-reader. To do that, you need to create a
RoleBinding by declaring it in a yaml file called role-binding.yaml.
# role-binding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: read-pods namespace: default subjects: - kind: User name: developer apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
Next, you must apply
role-binding.yaml in Kubernetes:
kubectl config use-context minikube kubectl apply -f role.yaml kubectl apply -f role-binding.yaml
Since Kubernetes permissions are additive, you can apply multiple roles to a user. After creating the role and Role Binding, create a new user and apply the role to the user. After the user is created, you can use the
kubectl command line tool to access the pods.
kubectl auth can-i will show you the permissions of the user.
kubectl config use-context dev-context kubectl auth can-i create pods kubectl create namespace ns-test #forbidden
Best practices for implementing RBAC in Kubernetes
You have learned the basics of how to implement RBAC in Kubernetes, but for this method to be effective, you should follow industry best practices. These include the following:
- Enforce least privilege. RBAC is most effective when Kubernetes administrators follow the principle of least privilege, which means that each user receives only the privileges necessary to conduct their job.
- Continuously revise RBAC strategy as needed. Your strategy and policies will determine the effectiveness of RBAC in Kubernetes. An important part of RBAC policy is assigning roles and giving permission accordingly, but team members’ roles within an organization can change. It’s critical to continuously update your RBAC strategy and adapt it to changing roles so that users aren’t left with more permissions than they need.
- Do not create too many roles. If you have too many roles and the definitions of those roles are too specific or obscure, they will be difficult to manage. The best practice is to create a manageable number of roles and make them generic enough to reuse them.
- Map RBAC roles to a central identity provider. To effectively manage roles, you need to regulate them. You should map RBAC roles to a central identity provider such as a privileged identity manager or, as in the case of Azure, a mandatory access control.
- Implement RBAC in stages. Implementing RBAC policies all at once can be difficult. To implement RBAC effectively, you should try to do so in stages, starting with a few roles and slowly increasing the granularity.
Issues to avoid
There are certain challenges that you need to watch out for to ensure the success of your RBAC strategy:
- If left unchecked, users with create pod permissions can easily escalate their permissions by mapping service accounts to their pods, which allows them to access unauthorized resources.
- The impersonate verb can be used to get full control over a cluster, which is why you should map RBAC roles to a central identity provider.
- If a user can edit their own role, they can give themselves arbitrary permissions that can cause security and compliance issues.
- Unused or duplicated roles can increase complexity and make it more difficult to manage pod permissions.
- If you are creating individual roles, then a large number of users can increase the complexity of RBAC.
RBAC is a useful solution to grant access rights depending on user roles, which helps in the effective management of resources within a cluster in Kubernetes. A clearly developed RBAC strategy can also help with security and compliance issues.
However, remember that RBAC loses its effectiveness if you don’t implement a proper strategy for creating and updating roles. If you follow the above best practices and regularly review the set roles in your organization, your RBAC strategy will be better positioned for success. If you’re using a cloud provider, they’ll often provide out-of-box RBAC recommendations. For AWS EKS review their documentation or the Kubernetes documentation if running Kubernetes yourself.
If you want to protect your apps hosted in Kubernetes, we recommend checking out Teleport Kubernetes Access.
Stay up-to-date with the newest Teleport releases by subscribing to our monthly updates.