Configuring RBAC in Kubernetes

I think we all know the value of securing our Kubernetes cluster using RBAC, and keeping intruders from gaining access to the Kubernetes API. But if the default, out of the box, RBAC experience isn’t fine grained enough for you, or if you just want to learn more about how Kubernetes RBAC works and what options are out there, this issue is for you. We’ve collected some of the latest and most interesting blogs, tutorials, and tools (OSS of course) that can help you lock down the RBAC policies in your cluster.

Issue #142

Here’s a detailed explanation of how to use the Kubernetes Authorization Webhook and (probably) OPA to implement your own customer authorization control by writing rego policies. This is a great tutorial that shows how the authorization webhook works, and what you’ll need to know to get started. While this is going to target using OPA for policies, and that’s a great solution, the information in this post is relevant for any type of custom solution for RBAC decisions that you might want. 📋

A lot of us are using Okta, and if you are reading this then most likely Kubernetes. There is a way to configure authentication and authorization using Okta’s OIDC functionality. It does require a client plugin to support the OIDC flow (OSS) but this post walks us through the process and makes it pretty understandable. 👤

From our friends over at Aqua Security, here’s a great best-practice to keep your cluster secure. The TLDR; is basically to avoid cluster admin access using this built-in group, and for good reasons. The author explains why this is a bad pattern to follow, and shows the risks of allowing this group to be used. This is a great read when thinking about how to set up RBAC in your cluster. 🔒

If you are running an EKS cluster, here’s a great guide on how to use your own OIDC provider to replace AWS’s IAM Authz mechanisms that are default. This is great to see from the Amazon team, and helps better integrate the EKS RBAC configuration into an orgs existing infrastructure, in a supported way.

If OIDC isn’t your thing, and you want SAML, give this post a read. As the author points out, hosted Kubernetes services don’t give you control over the flags passed into the API Server, but that doesn’t mean it’s not possible to use SAML. Through some clever user-impersonation methods, and using the open source Teleport tool, there’s a solution to use your existing SAML identity to power RBAC in a cluster. 🏳️

But I thought we were talking about Authorization here, not Audit Logs? This post shows how to use the Kubernetes Audit Logs (and DataDog) to monitor failed attempts to login and use privileges. When switching or setting up RBAC initially, it can be hard to debug. Understanding how to connect to the audit log and see the events will be helpful on the off chance that things don’t go perfectly on the first try!

See? Kubernetes isn’t really all that complicated when you start to think about it!