k8s Understanding Kubernetes Security Components

Understanding Kubernetes Security Components

In Kubernetes, security is implemented through several components that work together to control access and permissions. Let's explore ServiceAccounts, Roles, RoleBindings, and SecurityContexts.

ServiceAccount

A ServiceAccount provides an identity for processes running in a Pod. It's used for authentication when Pods interact with the Kubernetes API.

Key points:

• Every namespace has a default ServiceAccount
• Pods automatically mount the default ServiceAccount unless specified otherwise
• ServiceAccounts can be associated with secrets for API authentication

Role

A Role defines a set of permissions within a specific namespace. It specifies what actions (verbs) can be performed on which resources.

Key points:

• Namespace-scoped
• Defines permissions using rules (resources and verbs)
• For cluster-wide permissions, use ClusterRole instead

RoleBinding

A RoleBinding grants the permissions defined in a Role to a user, group, or ServiceAccount.

Key points:

• Links subjects (users, groups, ServiceAccounts) to a Role
• Namespace-scoped
• For cluster-wide bindings, use ClusterRoleBinding

SecurityContext

A SecurityContext defines privilege and access control settings for Pods or containers.

Key points:

• Can be set at Pod or container level
• Controls running as specific user/group IDs
• Manages Linux capabilities
• Enforces security policies like preventing privilege escalation

Example: Creating a Pod with Limited Permissions

Let's create a scenario where we want to run a monitoring Pod that can only read ConfigMaps in its namespace:

1. Create a ServiceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  name: monitoring-account
  namespace: monitoring

2. Create a Role with limited permissions

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: configmap-reader
  namespace: monitoring
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "list", "watch"]

3. Bind the Role to the ServiceAccount

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: monitoring-configmap-reader
  namespace: monitoring
subjects:
- kind: ServiceAccount
  name: monitoring-account
  namespace: monitoring
roleRef:
  kind: Role
  name: configmap-reader
  apiGroup: rbac.authorization.k8s.io

4. Create a Pod using the ServiceAccount and SecurityContext

apiVersion: v1
kind: Pod
metadata:
  name: secure-monitoring-pod
  namespace: monitoring
spec:
  serviceAccountName: monitoring-account
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  containers:
  - name: monitoring-container
    image: monitoring-image:latest
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
        - ALL
    resources:
      limits:
        memory: "128Mi"
        cpu: "500m"