Kubernetes RBAC and Authentication
Best practices for implementing RBAC and Authentication in Kubernetes
Kubernetes RBAC and Authentication
Role-Based Access Control (RBAC) and Authentication are crucial for Kubernetes security. This guide covers essential practices for implementing them effectively.
Video Tutorial
Learn more about Kubernetes RBAC and Authentication in this comprehensive video tutorial:
Prerequisites
- Basic understanding of Kubernetes
- Access to a Kubernetes cluster
- kubectl CLI tool installed
- Familiarity with security concepts
Project Structure
.
├── rbac/
│ ├── roles/ # Role definitions
│ ├── bindings/ # Role bindings
│ ├── users/ # User configurations
│ └── groups/ # Group configurations
└── auth/
├── providers/ # Auth providers
└── policies/ # Auth policiesRBAC Configuration
1. Role Definition
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get"]2. ClusterRole Definition
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list"]
resourceNames: ["app-secret"]Role Bindings
1. RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io2. ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: secret-global
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.ioAuthentication Setup
1. Service Account
apiVersion: v1
kind: ServiceAccount
metadata:
name: app-service-account
namespace: default
automountServiceAccountToken: false2. Token Configuration
apiVersion: v1
kind: Secret
metadata:
name: app-service-account-token
annotations:
kubernetes.io/service-account.name: app-service-account
type: kubernetes.io/service-account-tokenAuthorization Policies
1. Pod Security Policy
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
spec:
privileged: false
seLinux:
rule: RunAsAny
runAsUser:
rule: MustRunAsNonRoot
fsGroup:
rule: RunAsAny
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'2. Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-allow
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 80Authentication Methods
1. OpenID Connect
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority-data: DATA
server: https://api.k8s.cluster
name: kubernetes
users:
- name: oidc-user
user:
auth-provider:
config:
client-id: kubernetes
client-secret: secret
id-token: token
idp-issuer-url: https://accounts.google.com
refresh-token: refresh-token
name: oidc2. Certificate Authentication
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: john
spec:
request: $(cat john.csr | base64 | tr -d '\n')
signerName: kubernetes.io/kube-apiserver-client
usages:
- client authBest Practices Checklist
- ✅ Implement least privilege
- ✅ Use service accounts
- ✅ Configure RBAC
- ✅ Enable audit logging
- ✅ Regular access reviews
- ✅ Token rotation
- ✅ Certificate management
- ✅ Authentication policies
- ✅ Network policies
- ✅ Documentation
Access Patterns
Namespace-scoped
- Limited access
- Resource quotas
- Network isolation
- Audit requirements
Cluster-wide
- Admin access
- Monitoring
- Security policies
- Infrastructure management
Service Account
- Application access
- API authentication
- Automated processes
- CI/CD pipelines
Common Pitfalls
- ❌ Over-privileged access
- ❌ Missing network policies
- ❌ Static credentials
- ❌ Poor documentation
- ❌ Insufficient monitoring
Monitoring Setup
1. Audit Policy
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
resources:
- group: ""
resources: ["secrets", "configmaps"]
- level: RequestResponse
resources:
- group: "rbac.authorization.k8s.io"
resources: ["roles", "clusterroles"]2. Alert Configuration
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: rbac-alerts
spec:
groups:
- name: rbac
rules:
- alert: UnauthorizedAccess
expr: rate(apiserver_request_total{code="403"}[5m]) > 10
for: 5m
labels:
severity: warningAccess Review
1. Access Check
apiVersion: authorization.k8s.io/v1
kind: SubjectAccessReview
spec:
user: jane
resourceAttributes:
namespace: default
verb: get
group: ""
resource: pods2. Role Review
apiVersion: authorization.k8s.io/v1
kind: SelfSubjectRulesReview
spec:
namespace: defaultSecurity Context
1. Pod Security Context
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
containers:
- name: app
image: app:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true2. Container Security Context
apiVersion: v1
kind: Pod
metadata:
name: restricted-pod
spec:
containers:
- name: app
image: app:latest
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsNonRoot: true
readOnlyRootFilesystem: trueConclusion
Implementing these RBAC and Authentication practices ensures secure access control in your Kubernetes clusters. Regular reviews and updates are essential for maintaining security.