Kubernetes cluster security mechanism RBAC

catalogue

RBAC principle and usage

1.RBAC API resource object description

RBAC introduces four new top-level resource objects: Role, ClusterRole, RoleBinding and ClusterRoleBinding. These resource objects can be operated by kubectl or API calls.

1. Role

A Role is a collection of permissions. All permissions here are in the form of permission, and there is no rejection rule. In a namespace, a Role is defined by Role, and ClusterRole is used at the cluster level. A Role can only authorize resources within a namespace.

  • The role defined in the following example has permission to read Pod:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: pod-reader
  namespace: namespace-test
rules:
  - apiGroups:
      - ""     # An empty string represents the core API Group
    resources:
      - "pods"
    verbs:
      - "get"
      - "list"
      - "watch"

# Or write:
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]

Parameter description in rules:

  • apiGroup: list of supported API groups, such as: '', APIVersion: batch/v1, APIVersion: extensions:v1, apiVersion:apps/v1, etc
  • resources: list of supported resource objects, such as pods, deployments, jobs, secrets, service, namespace, etc
  • verbs: list of operation methods for resource objects, such as get, watch, list, delete, replace, patch, etc

2. Cluster role

In addition to the ability to manage resources in the namespace consistent with the role, the cluster role can also be used for the authorization of the following special elements because of its cluster level scope.

  • Cluster wide resources, such as node

  • A non resource path, such as / healthz

  • Resources that contain all namespaces, such as pods

  • The clusterrole in the following example allows users to access the secrets of any or all namespaces:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: secret-reader  # ClusterRole is not limited to namespace, so the definition of namespace name is omitted
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "watch"]

3. Role binding and cluster role binding

Role binding or cluster role binding is used to bind a role to a target. The binding target can be User, Group or ServiceAccount. Use RoleBinding to authorize a namespace and ClusterRoleBinding to authorize within the cluster.

RoleBinding can refer to Role for authorization. In the following example, RoleBinding will grant the Pod reader Role to user test in the namespace test namespace, allowing the test user to read the Pod in the namespace test namespace.

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: namespace-test

subjects:
- kind: User
  name: test
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

RoleBinding can also reference ClusterRole to authorize resource principals defined by ClusterRole in the same namespace. A common practice is that the Cluster Administrator pre defines a set of roles (clusterroles) for the cluster scope, and then reuses these clusterroles in multiple namespaces.

  • The RoleBinding in the following example binds the cluster role secret reader, so that user dave can only read the secret in the development namespace:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-secrets
  namespace: development

subjects:
- kind: User
  name: dave
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

The roles in the cluster role binding can only be cluster roles, which are used for cluster level or effective authorization for all namespaces.

  • The ClusterRoleBinding in the following example allows the user of the manager group to read the secret in any namespace
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-secrets-global
subjects:
- kind: Group
  name: manager
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

2. Reference method of resources

Most resources can be expressed by the string of their name, that is, the relative path of the URL in the Endpoint, such as pods. Then, some kubernetes APIs contain subordinate resources, such as the logs of Pod. The Endpoint of the Pod log is GET /api/v1/namespaces/{namespaces}/pods/{name}/logs.

Pod is a resource in a namespace, and logs is a subordinate resource. To be embodied in an RBAC role, you need to use slashes / to divide resources and subordinate resources.

  • In the following example, authorization enables a role to read Pod and Pod logs at the same time, and resources can be configured as an array:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-and-pod-logs-reader
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list"]

  
Resources can also be referenced by name (ResourceName). After specifying the ResourceName, requests using get, delete, update and patch verbs will be limited to the resource instance.

  • The declaration of the following example allows an entity to only get and update a configmap called my configmap:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: configmap-updater
rules:
- apiGroups: [""]
  resources: ["configmap"]
  resourceNames: ["my-configmap"]
  verbs: ["get", "update"]

3. Common role examples

  • It is allowed to read and write the pod resources in the core API Group and the jobs resources in the "batch" and "extensions" groups
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["batch", "extensions"]
  resources: ["jobs"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  • It is allowed to read a configmap named my config (it must be bound to a RoleBinding to limit it to a configmap in a namespace)
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["my-config"]
  verbs: ["get"]
  • Read the Node resources of the core group (nodes belong to cluster level resources, which must be placed in ClusterRole and bound with ClusterRoleBinding)
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]

  

  • Allow GET/POST operations on non resource endpoints / healthz and all its sub paths (ClusterRole and clusterrolebinding must be used)
rules:
- nonResourceURLs: ["/healthz", "/healthz/*"]
  verbs: ["get", "post"]

4. Common role binding

  • user name Alice@example.com
subjects:
- kind: User
  name: "Alice@example.com"
  apiGroup: rbac.authorization.k8s.io
  • Group name frontend admins
subjects:
- kind: Group
  name: "frontend-admins"
  apiGroup: rbac.authorization.k8s.io
  • Default ServiceAccount in Kube system namespace
subjects:
- kind: ServiceAccount
  name: default
  namespace: kube-system
  • All service accounts in the qa namespace
subjects:
- kind: Group
  name: system:serviceaccounts:qa
  apiGroup: rbac.authorization.k8s.io
  • All serviceaccounts
subjects:
- kind: Group
  name: system:serviceaccounts
  apiGroup: rbac.authorization.k8s.io
  • All users (all unauthenticated + all authenticated)
subjects:
- kind: Group
  name: system:authentication
  apiGroup: rbac.authorization.k8s.io
- kind: Group
  name: system:unauthentication
  apiGroup: rbac.authorization.k8s.io

5. Default role and role binding

API Server will create a set of default ClusterRole and ClusterRoleBinding objects, many of which are prefixed with system: to indicate that these resources belong to the infrastructure. Changes to these objects may cause cluster failure.

Common system roles are as follows:

Default ClusterRole Default ClusterRoleBinding describe
system:basic-user system:authenticated Enable users to read their own information
system:discovery system:authenticated Read only access to API discovery Endpoint, which is used for API level discovery and negotiation
system:public-info-viewer system:authenticated and system:unauthenticated groups Allow read-only access to non sensitive information of the cluster

Some default roles are not prefixed with system:, these roles are for users, including the super user role cluster admin, some for cluster level role cluster status, and the roles admin, edit and view for namespace

Common user roles are as follows:

Default ClusterRole Default ClusterRoleBinding describe
cluster-admin system:masters group Let the super user perform any operation on any resource. If it is used in ClusterRoleBinding, it will affect any resource in all namespaces of the whole cluster; If you use RoleBinding, you can control the resources in the bound namespace, including the namespace itself
admin None Allow admin and restrict the use of RoleBinding in one namespace. If used in RoleBinding, it allows read-write access to most resources in the namespace, including the ability to create roles and role bindings. This role does not allow operations on the namespace itself or write resource quotas.
edit None It is allowed to read and write most resources in the namespace. It is not allowed to view or modify roles and role bindings.
view None Read only operations are allowed on most objects, but roles, role bindings and secret are inaccessible.

Core component roles:

Default ClusterRole Default ClusterRoleBinding describe
system:kube-scheduler System: Kube scheduler user Be able to access the resources required by the Kube scheduler component
system:kube-controller-manager System: Kube controller manager user Be able to access the resources required by the Kube controller manager component
system:node system:nodes group Allows access to resources required by kubelet, including reading of secret and writing of pod. In the future, the above two permissions will be limited to the objects assigned to this node. In the authentication process in the future, kubelet must be in the form of system:node and a user name in the form of system:node
system:node-proxier System: Kube proxy user Allow access to resources required by Kube proxy

Other component roles:

Default ClusterRole Default ClusterRoleBinding describe
system:auth-delegator None It is allowed to outsource identity authentication and authentication check operations. This role is usually used on plug-in API servers to achieve unified identity authentication and authentication.
system:heapster Node Roles defined for the Heapster component (deprecated).
system:kube-aggregator Node Roles defined for the Kube aggregator component.
system:kube-dns Kube DNS service account in Kube system namespace Roles defined for Kube DNS components.
system:kubelet-api-admin Node Allow full access to the kubelet API.
system:node-bootstrapper Node Allows access to resources needed to perform kubelet TLS boot.
system:node-problem-detector Node Roles defined for the node problem detector component.
system:persistent-volume-provisioner Node Allows access to resources required by most dynamic volume drivers.
system:monitoring system:monitoring group Allow read access to control plane monitoring endpoints (for example: Kube apiserver survival and readiness endpoints (/ healthz, / livez, / readyz), various health check endpoints (/ healthz /, / livez /, / readyz / *) and / metrics). Note that each health check endpoint and metric endpoint may expose sensitive information.

Query command:

kubectl describe clusterrole admin
kubectl describe clusterrole cluster-admin
kubectl describe clusterrole edit
kubectl describe clusterrole view

Reference documents:
https://kubernetes.io/zh/docs/reference/access-authn-authz/rbac/

Posted on Wed, 03 Nov 2021 20:37:37 -0400 by Alien