Just-in

Kagent Tutorial: Build Cloud-Native AI Agents on Kubernetes

Running Ollama LLM on Kubernetes: A Complete Guide

From Docker to Kubernetes: The Orchestration Journey You Didn’t Know You Needed

What is Kubeflow and how can it be used?

Getting Started with Kubeflow: A Complete Beginner’s Guide

Orchestration

Secure Kubernetes: RBAC Best Practices

Introduction

In the complex tapestry of modern cloud-native environments, managing who can do what is paramount. Kubernetes, the de facto orchestrator for containerized applications, provides a robust authorization mechanism known as Role-Based Access Control (RBAC). Without proper RBAC, your cluster is an open book, vulnerable to accidental misconfigurations or malicious exploitation. Imagine a scenario where a junior developer accidentally deletes a production namespace, or an attacker gains escalated privileges, compromising your entire infrastructure. These aren’t far-fetched nightmares but real possibilities in an improperly secured cluster.

This guide will demystify Kubernetes RBAC, moving beyond basic concepts to explore best practices that ensure a secure, maintainable, and scalable access control strategy. We’ll delve into the core components of RBAC—Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings—and demonstrate how to implement least privilege access effectively. By the end of this comprehensive tutorial, you’ll be equipped to design and enforce a granular RBAC policy that safeguards your Kubernetes clusters, making them resilient against unauthorized access and operational errors. Let’s transform your cluster’s security posture from reactive to proactive.

TL;DR: Kubernetes RBAC Best Practices

Kubernetes RBAC is crucial for securing your cluster by defining who (Subjects) can perform what actions (Verbs) on which resources (API Groups, Resources). Always adhere to the principle of least privilege. Use Namespaced Roles for application-specific access and ClusterRoles for cluster-wide operations. Bind these roles to users or service accounts using RoleBindings and ClusterRoleBindings, respectively. Avoid granting cluster-admin unless absolutely necessary. Regularly audit your RBAC policies and integrate them into your CI/CD pipeline for automated enforcement.

Key Commands:


# Create a namespace-scoped Role
kubectl apply -f - <

Prerequisites

Before diving into the intricacies of Kubernetes RBAC, ensure you have the following:

  • A running Kubernetes Cluster: This can be a local cluster (e.g., Minikube, Kind, Docker Desktop Kubernetes) or a cloud-managed cluster (e.g., EKS, GKE, AKS).
  • kubectl installed and configured: Your kubectl command-line tool should be configured to connect to your Kubernetes cluster. You can find installation instructions on the official Kubernetes documentation.
  • Basic understanding of Kubernetes concepts: Familiarity with Pods, Deployments, Services, Namespaces, and the Kubernetes API is expected.
  • Text editor: Any text editor capable of creating and editing YAML files.
  • Administrative access to the cluster: To define and apply RBAC policies, you'll need sufficient permissions, typically cluster-admin or an equivalent.

Step-by-Step Guide

1. Understanding RBAC Core Components

Kubernetes RBAC is built upon four fundamental components: Role, ClusterRole, RoleBinding, and ClusterRoleBinding. These resources work in tandem to define permissions and assign them to subjects (users, service accounts, or groups). A Role defines permissions within a specific namespace, while a ClusterRole defines permissions across the entire cluster. RoleBindings link Roles to subjects within a namespace, and ClusterRoleBindings link ClusterRoles to subjects cluster-wide. This separation allows for granular control and adherence to the principle of least privilege.

The rules within a Role or ClusterRole specify the apiGroups, resources, and verbs that a subject is allowed to perform. apiGroups categorize Kubernetes resources (e.g., "" for core resources like Pods, apps for Deployments). resources are the specific types of objects (e.g., pods, deployments). verbs are the actions that can be taken (e.g., get, list, create, update, delete).


# Example: Role for reading Pods in a specific namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: development
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods", "pods/log"]
  verbs: ["get", "watch", "list"]
---
# Example: ClusterRole for reading all Namespaces
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: namespace-reader
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]

Verify:

After applying these, you can inspect them.


kubectl get role pod-reader -n development

Expected output:


NAME         CREATED AT
pod-reader   2023-10-27T10:00:00Z


kubectl describe role pod-reader -n development

Expected output (truncated):


Name:         pod-reader
Namespace:    development
Labels:       
Annotations:  
PolicyRule:
  Resources  NonResourceURLs  ResourceNames  Verbs
  ---------  ---------------  -------------  -----
  pods, pods/log    []             []             [get watch list]


kubectl get clusterrole namespace-reader

Expected output:


NAME               CREATED AT
namespace-reader   2023-10-27T10:00:00Z


kubectl describe clusterrole namespace-reader

Expected output (truncated):


Name:         namespace-reader
Labels:       
Annotations:  
PolicyRule:
  Resources  NonResourceURLs  ResourceNames  Verbs
  ---------  ---------------  -------------  -----
  namespaces    []             []             [get list watch]

2. Creating Namespaces and Service Accounts

Before assigning permissions, it's good practice to organize your cluster with namespaces and to understand how service accounts are used. Namespaces provide logical isolation for resources, which is a fundamental aspect of multi-tenancy and RBAC. Service accounts are identities used by processes running in pods, allowing them to interact with the Kubernetes API. Unlike human users, which are typically managed by an external identity provider (like LDAP or OAuth), service accounts are Kubernetes-native and crucial for application-level permissions. For advanced networking and security isolation, consider using Kubernetes Network Policies to restrict pod-to-pod communication.

For this example, we'll create a new namespace for our application and a service account that our application's pods will use to access the Kubernetes API.


# Create a new namespace for our application
apiVersion: v1
kind: Namespace
metadata:
  name: my-app-namespace
---
# Create a ServiceAccount for our application to use
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-app-sa
  namespace: my-app-namespace

Verify:

Check if the namespace and service account have been created.


kubectl apply -f your-rbac-manifest.yaml
kubectl get namespace my-app-namespace

Expected output:


NAME             STATUS   AGE
my-app-namespace Active   Xs


kubectl get serviceaccount my-app-sa -n my-app-namespace

Expected output:


NAME        SECRETS   AGE
my-app-sa   1         Xs

3. Defining Namespaced Roles and RoleBindings

The principle of least privilege dictates that users and service accounts should only have the minimum permissions necessary to perform their tasks. For application-specific access, Roles are ideal as they restrict permissions to a particular namespace. We'll define a Role that allows our application's service account to only list and get pods within its own namespace. Then, we'll create a RoleBinding to link this Role to our my-app-sa service account. This ensures that the application cannot inadvertently or maliciously affect resources outside its designated namespace.


# Role to allow listing and getting pods within 'my-app-namespace'
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: my-app-namespace
  name: pod-lister
rules:
- apiGroups: [""] # Core API group
  resources: ["pods"]
  verbs: ["get", "list"]
---
# RoleBinding to grant 'pod-lister' role to 'my-app-sa' ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: my-app-pod-lister-binding
  namespace: my-app-namespace
subjects:
- kind: ServiceAccount
  name: my-app-sa
  namespace: my-app-namespace
roleRef:
  kind: Role
  name: pod-lister
  apiGroup: rbac.authorization.k8s.io

Verify:

Apply the YAML and then verify the binding.


kubectl apply -f your-rbac-manifest.yaml
kubectl describe rolebinding my-app-pod-lister-binding -n my-app-namespace

Expected output (truncated):


Name:         my-app-pod-lister-binding
Labels:       
Annotations:  
Role:
  Kind:  Role
  Name:  pod-lister
Subjects:
  Kind            Name        Namespace
  ----            ----        ---------
  ServiceAccount  my-app-sa   my-app-namespace

You can also use kubectl auth can-i to impersonate the service account and check its permissions.


kubectl auth can-i get pods -n my-app-namespace --as=system:serviceaccount:my-app-namespace:my-app-sa

Expected output:


yes


kubectl auth can-i create deployment -n my-app-namespace --as=system:serviceaccount:my-app-namespace:my-app-sa

Expected output:


no

4. Defining ClusterRoles and ClusterRoleBindings

For operations that span across multiple namespaces or involve cluster-scoped resources (like Nodes, PersistentVolumes, or Namespaces themselves), ClusterRoles and ClusterRoleBindings are necessary. It's crucial to be cautious when granting cluster-wide permissions, as they can have significant impact. A common use case for ClusterRoles is for cluster administrators, observability tools, or specialized operators. For instance, an observability tool might need to list pods across all namespaces to gather metrics, or a cost optimization tool like Karpenter might need cluster-wide access to manage nodes.

Here, we'll create a ClusterRole that allows a user to view all namespaces and then bind it to a hypothetical "cluster-viewer" user. Remember that real users are typically integrated via OIDC or other identity providers, and their names would reflect that (e.g., alice@example.com).


# ClusterRole to allow viewing all namespaces
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: global-namespace-viewer
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
---
# ClusterRoleBinding to grant 'global-namespace-viewer' to a specific user
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: view-all-namespaces-binding
subjects:
- kind: User
  name: cluster-viewer@example.com # Replace with your actual user identity
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: global-namespace-viewer
  apiGroup: rbac.authorization.k8s.io

Verify:

Apply the YAML and then verify the binding.


kubectl apply -f your-rbac-manifest.yaml
kubectl describe clusterrolebinding view-all-namespaces-binding

Expected output (truncated):


Name:         view-all-namespaces-binding
Labels:       
Annotations:  
Role:
  Kind:  ClusterRole
  Name:  global-namespace-viewer
Subjects:
  Kind  Name                      API Group
  ----  ----                      ---------
  User  cluster-viewer@example.com  rbac.authorization.k8s.io

Check permissions for the user:


kubectl auth can-i get namespaces --as=cluster-viewer@example.com

Expected output:


yes


kubectl auth can-i create namespace --as=cluster-viewer@example.com

Expected output:


no

5. Leveraging Aggregated ClusterRoles

Kubernetes offers a powerful feature called Aggregated ClusterRoles, which allows you to combine multiple ClusterRoles into a single, comprehensive ClusterRole. This is particularly useful for building custom roles that inherit permissions from existing ones, such as adding specific permissions to a general "admin" role without modifying the original. Aggregated ClusterRoles are defined by adding an aggregationRule to a ClusterRole, which specifies a label selector. Any ClusterRole matching this selector will have its rules included in the aggregated ClusterRole. This approach promotes modularity and reusability in your RBAC definitions, especially when dealing with complex permission sets. For example, an Istio Ambient Mesh operator might require an aggregated ClusterRole combining various permissions for managing service mesh resources.


# Define a base ClusterRole for deploying applications
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: app-deployer-base
  labels:
    rbac.example.com/aggregate-to-app-admin: "true"
rules:
- apiGroups: ["apps"]
  resources: ["deployments", "replicasets"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["services", "configmaps", "secrets"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
# Define a ClusterRole for managing cronjobs
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cronjob-manager
  labels:
    rbac.example.com/aggregate-to-app-admin: "true"
rules:
- apiGroups: ["batch"]
  resources: ["cronjobs", "jobs"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
# Create an aggregated ClusterRole that combines the above roles
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: aggregated-app-admin
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.example.com/aggregate-to-app-admin: "true"
rules: [] # The rules are automatically aggregated from matching ClusterRoles
---
# Bind the aggregated ClusterRole to a user
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: app-admin-binding
subjects:
- kind: User
  name: app-admin@example.com
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: aggregated-app-admin
  apiGroup: rbac.authorization.k8s.io

Verify:

Apply the YAML and then inspect the aggregated role.


kubectl apply -f your-rbac-manifest.yaml
kubectl describe clusterrole aggregated-app-admin

Expected output (truncated, showing aggregated rules):


Name:         aggregated-app-admin
Labels:       
Annotations:  
PolicyRule:
  Resources                       NonResourceURLs  ResourceNames  Verbs
  ---------                       ---------------  -------------  -----
  cronjobs, jobs                  []               []             [get list watch create update patch delete]
  deployments, replicasets        []               []             [get list watch create update patch delete]
  configmaps, secrets, services   []               []             [get list watch create update patch delete]
AggregationRule:
  Cluster Role Selectors:
    Match Labels:
      rbac.example.com/aggregate-to-app-admin: "true"

Test a permission:


kubectl auth can-i create deployment -n default --as=app-admin@example.com

Expected output:


yes

6. Auditing RBAC with kubectl auth can-i and Audit Logs

Regularly auditing your RBAC policies is a critical security practice. Kubernetes provides the kubectl auth can-i command, which allows you to check if a specific user or service account can perform a given action. This is invaluable for debugging permissions and ensuring least privilege. For a more comprehensive audit trail of all actions performed in your cluster, Kubernetes Audit Logs are indispensable. By enabling and properly configuring audit logging, you can record every API request, identifying who did what, when, and from where. This is crucial for security forensics and compliance. Tools that leverage eBPF, such as eBPF Observability with Hubble, can also provide deep insights into network and system calls, complementing RBAC audits.

To use kubectl auth can-i:


# Check if current user can create pods in the default namespace
kubectl auth can-i create pods -n default

# Check if 'my-app-sa' can list deployments in its namespace
kubectl auth can-i list deployments -n my-app-namespace --as=system:serviceaccount:my-app-namespace:my-app-sa

# Check if 'cluster-viewer@example.com' can delete namespaces (should be no)
kubectl auth can-i delete namespace --as=cluster-viewer@example.com

# Check if 'app-admin@example.com' can update deployments in any namespace
kubectl auth can-i update deployment -n any-namespace --as=app-admin@example.com

Expected Output Examples:


# For current user (assuming admin access)
yes

# For my-app-sa (should be no, as it only has 'get'/'list' for pods)
no

# For cluster-viewer (should be no)
no

# For app-admin (should be yes, if aggregated role grants it)
yes

To configure Audit Logs, you typically need to modify your Kubernetes API server configuration. This usually involves editing the Kube-API server manifest on your control plane nodes or configuring it via your cloud provider's managed Kubernetes service. For example, on EKS, you can enable control plane logging to CloudWatch. For self-managed clusters, you'd add flags like --audit-policy-file and --audit-log-path to the API server's static pod manifest. A detailed policy file defines what events to log.

Example audit-policy.yaml (simplified):


apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  # Log all requests at the Request level for 'pods' and 'deployments'
  - level: Request
    resources:
    - group: ""
      resources: ["pods"]
    - group: "apps"
      resources: ["deployments"]
  # Don't log requests to get status of pods (noisy)
  - level: None
    resources:
    - group: ""
      resources: ["pods/status"]
  # Log all other requests at Metadata level
  - level: Metadata
    omitStages:
    - "RequestReceived"

Then, configure your API server to use this policy:


# Example Kube-API server flags (actual implementation varies by setup)
--audit-policy-file=/etc/kubernetes/audit-policy.yaml
--audit-log-path=/var/log/kubernetes/audit.log
--audit-log-maxage=30
--audit-log-maxbackup=10
--audit-log-maxsize=100

After enabling, audit logs will be written to the specified path, providing a comprehensive record of API interactions.

Production Considerations

Implementing RBAC in a production environment goes beyond basic configuration. Here are crucial considerations:

  1. Principle of Least Privilege: This is the golden rule. Grant only the absolute minimum permissions required for a user or service account to perform its function. Regularly review and trim unnecessary permissions.
  2. Automate RBAC Management: Manual management of RBAC YAMLs is error-prone and unsustainable at scale. Integrate RBAC definitions into your GitOps workflows. Tools like Kustomize or Helm can help manage and deploy RBAC resources alongside your applications.
  3. External Identity Management: For human users, integrate Kubernetes with an external identity provider (IdP) like Okta, Auth0, or your cloud provider's IAM (e.g., AWS IAM, Azure AD, Google Cloud Identity). This centralizes user management and authentication, allowing you to map IdP groups to Kubernetes ClusterRoles or Roles via ClusterRoleBindings/RoleBindings.
  4. Namespace Strategy: Develop a clear namespace strategy. Each application, environment (dev, staging, prod), or team should ideally reside in its own namespace. This naturally scopes RBAC permissions and prevents cross-contamination.
  5. Avoid cluster-admin: The cluster-admin ClusterRole grants full control over the entire cluster. It should be reserved for a very small number of highly trusted administrators and used sparingly. For most administrative tasks, create custom ClusterRoles with specific permissions.
  6. Dedicated Service Accounts: Each application or microservice should use its own dedicated service account. Avoid sharing service accounts between different applications, even within the same namespace.
  7. Regular Auditing and Monitoring: Continuously monitor your Kubernetes audit logs for unauthorized access attempts or suspicious activity. Tools like Falco or Open Policy Agent (OPA) can help enforce policies and detect deviations.
  8. Immutable RBAC: Treat your RBAC configurations as immutable infrastructure. Store them in version control (Git) and deploy them via automated pipelines.
  9. ResourceNames for Granular Control: For extremely fine-grained control, specify resourceNames within your Role/ClusterRole rules. This limits permissions to specific instances of a resource (e.g., only allow deleting a specific Pod named "my-critical-pod"). Use this cautiously as it can become difficult to manage.
  10. Test RBAC Policies: Before deploying RBAC policies to production, thoroughly test them in a staging environment. Use kubectl auth can-i extensively to verify that users and service accounts have the correct (and only the correct) permissions.
  11. Review Default Roles/Bindings: Be aware of the default Kubernetes default ClusterRoles and ClusterRoleBindings. Understand what they grant and ensure they align with your security posture.
  12. Security Scanning: Use tools like Kube-bench or Polaris to scan your cluster for misconfigurations, including overly permissive RBAC policies. For supply chain security, integrating tools like Sigstore and Kyverno can further enhance your posture.

Troubleshooting

RBAC issues can be tricky to diagnose. Here are common problems and their solutions:

1. Permission Denied (403 Forbidden)

Issue: A user or service account gets a "403 Forbidden" error when trying to perform an action, even though you think they should have permissions.

Solution:

  • Use kubectl auth can-i: This is your primary diagnostic tool. Impersonate the user/service account and test the exact action. 
    
kubectl auth can-i get pods -n my-app-namespace --as=dev-user@example.com
kubectl auth can-i create deployment -n default --as=system:serviceaccount:my-app-namespace:my-app-sa
  • Check Role/ClusterRole definitions: Ensure the apiGroups, resources, and verbs are correctly specified. Common mistakes include omitting the core API group "" or using plural vs. singular resource names inconsistently.
  • Check RoleBinding/ClusterRoleBinding: Verify that the subjects section correctly references the user, service account, or group, and that the roleRef points to the correct Role/ClusterRole. Ensure the namespace is correct for RoleBindings.
  • Check for typos: Kubernetes is case-sensitive for many fields.
  • Audit logs: If enabled, check the Kubernetes audit logs for detailed information about why the request was denied.

2. Service Account Permissions Not Applied to Pod

Issue: A Pod running with a specific service account doesn't have the expected permissions.

Solution:

  • Verify serviceAccountName: Ensure the Pod's manifest explicitly sets serviceAccountName: my-app-sa (or whatever your service account is named) in its spec. If omitted, it defaults to the default service account in that namespace. 
    
apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  namespace: my-app-namespace
spec:
  # ...
  template:
    spec:
      serviceAccountName: my-app-sa # <--- This is critical
      containers:
      - name: my-app-container
        image: my-app-image:latest
        # ...
  • Check service account existence: Ensure the service account actually exists in the correct namespace.
  • Check associated RoleBinding: Confirm that the service account is bound to the correct Role in the correct namespace.

3. ClusterRole Rules Not Applying to Namespaced Resources

Issue: You've created a ClusterRole, but a user/service account bound to it can't access namespaced resources (e.g., deployments) in a specific namespace.

Solution:

  • ClusterRoles are cluster-scoped, but their rules can apply to namespaced resources: A ClusterRole can grant permissions to namespaced resources (like pods, deployments). When a ClusterRole is bound using a ClusterRoleBinding, those permissions apply across all namespaces. If it's bound using a RoleBinding (which is less common but possible), those ClusterRole permissions are then scoped to the namespace of the RoleBinding. 
    
# Example: ClusterRole that can list deployments
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: deployment-lister-clusterwide
rules:
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["list"]
---
# ClusterRoleBinding to grant this to a user cluster-wide
apiVersion: rbac.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: deployment-lister-binding
subjects:
- kind: User
  name: dev-user@example.com
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: deployment-lister-clusterwide
  apiGroup: rbac.authorization.k8s.io

    If dev-user@example.com still can't list deployments, double-check the ClusterRole definition and ClusterRoleBinding.

4. Managing RBAC for External Users/Groups (e.g., OIDC)

Issue: How to grant permissions to users or groups managed by an external identity provider (like Azure AD, Google Identity, Okta, etc.).

Solution:

  • Configure your API Server: Your Kubernetes API server needs to be configured to authenticate users via your OIDC provider (e.g., --oidc-issuer-url, --oidc-client-id, --oidc-username-claim, --oidc-groups-claim flags).
  • Use User/Group subjects in Bindings: Once authentication is set up, the API server will pass user and group information. You then create RoleBindings/ClusterRoleBindings with kind: User or kind: Group subjects, matching the claims from your OIDC provider. 

    
apiVersion: rbac.authorization.k8s.io/v1
    
kind: ClusterRoleBinding
    
metadata:
    
  name: dev-team-admin-binding
    
subjects:
    
- kind: Group
    
  name: dev-team@example.com # This should match the group claim from your

Related Posts

Master eBPF for Kubernetes: Gain Insight

Introduction In the rapidly evolving landscape of cloud-native computing, performance, security, and observability are paramount. Traditional kernel modules and system calls often introduce overhead and…

Leave a Reply

Your email address will not be published. Required fields are marked *