mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-19 05:59:40 +03:00
135 lines
5.2 KiB
Markdown
135 lines
5.2 KiB
Markdown
---
|
|
name: implementing-rbac-for-kubernetes-cluster
|
|
description: Configure Kubernetes Role-Based Access Control (RBAC) to enforce least-privilege access to cluster resources. This skill covers Role/ClusterRole design, RoleBinding configuration, service account secu
|
|
domain: cybersecurity
|
|
subdomain: identity-access-management
|
|
tags: [iam, identity, access-control, authorization, rbac, kubernetes, k8s]
|
|
version: "1.0"
|
|
author: mahipal
|
|
license: MIT
|
|
---
|
|
# Implementing RBAC for Kubernetes Cluster
|
|
|
|
## Overview
|
|
Configure Kubernetes Role-Based Access Control (RBAC) to enforce least-privilege access to cluster resources. This skill covers Role/ClusterRole design, RoleBinding configuration, service account security, namespace isolation, and audit logging for multi-tenant Kubernetes environments.
|
|
|
|
## Objectives
|
|
- Design RBAC role hierarchy for multi-tenant clusters
|
|
- Create granular Roles and ClusterRoles for different personas
|
|
- Configure RoleBindings and ClusterRoleBindings with least privilege
|
|
- Secure service accounts and limit their default permissions
|
|
- Integrate RBAC with external identity providers (OIDC)
|
|
- Audit and monitor RBAC usage with Kubernetes audit logs
|
|
|
|
## Key Concepts
|
|
|
|
### RBAC API Objects
|
|
1. **Role**: Namespace-scoped permissions (pods, services, deployments within a namespace)
|
|
2. **ClusterRole**: Cluster-wide permissions (nodes, namespaces, PVs, CRDs)
|
|
3. **RoleBinding**: Grants Role to users/groups/serviceAccounts in a namespace
|
|
4. **ClusterRoleBinding**: Grants ClusterRole cluster-wide
|
|
|
|
### Kubernetes RBAC Verbs
|
|
- `get`, `list`, `watch`: Read-only operations
|
|
- `create`, `update`, `patch`: Write operations
|
|
- `delete`, `deletecollection`: Destructive operations
|
|
- `impersonate`: Assume identity of another user
|
|
- `escalate`: Modify RBAC roles (highly privileged)
|
|
- `bind`: Create RoleBindings (highly privileged)
|
|
|
|
### Persona-Based Access Model
|
|
- **Cluster Admin**: Full cluster management (limit to 2-3 people)
|
|
- **Namespace Admin**: Full control within assigned namespace
|
|
- **Developer**: Deploy and manage workloads in assigned namespace
|
|
- **Viewer**: Read-only access to namespace resources
|
|
- **CI/CD Service Account**: Deploy workloads, manage configmaps/secrets
|
|
|
|
## Implementation Steps
|
|
|
|
### Step 1: Disable Default Permissive Settings
|
|
1. Ensure `--authorization-mode=RBAC` is enabled on API server
|
|
2. Remove default cluster-admin bindings from non-admin users
|
|
3. Disable auto-mounting of service account tokens in pods
|
|
4. Restrict access to default service account in each namespace
|
|
|
|
### Step 2: Create Custom Roles
|
|
```yaml
|
|
# Developer Role - namespace scoped
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
namespace: app-team
|
|
name: developer
|
|
rules:
|
|
- apiGroups: ["", "apps", "batch"]
|
|
resources: ["pods", "deployments", "services", "configmaps", "jobs"]
|
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "list"] # read secrets but limit create/update
|
|
- apiGroups: [""]
|
|
resources: ["pods/log", "pods/exec"]
|
|
verbs: ["get", "create"]
|
|
```
|
|
|
|
### Step 3: Bind Roles to Users/Groups
|
|
```yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: developer-binding
|
|
namespace: app-team
|
|
subjects:
|
|
- kind: Group
|
|
name: "dev-team"
|
|
apiGroup: rbac.authorization.k8s.io
|
|
roleRef:
|
|
kind: Role
|
|
name: developer
|
|
apiGroup: rbac.authorization.k8s.io
|
|
```
|
|
|
|
### Step 4: Secure Service Accounts
|
|
- Create dedicated service accounts per application
|
|
- Disable automountServiceAccountToken for pods that don't need API access
|
|
- Use projected service account tokens with audience and expiry
|
|
- Bind minimum required permissions to each service account
|
|
|
|
### Step 5: OIDC Integration
|
|
1. Configure API server with OIDC flags (issuer-url, client-id, username-claim, groups-claim)
|
|
2. Map OIDC groups to Kubernetes groups in RoleBindings
|
|
3. Use short-lived tokens from OIDC provider
|
|
4. Configure kubectl with OIDC authentication plugin
|
|
|
|
### Step 6: Audit and Monitoring
|
|
- Enable Kubernetes audit logging (audit-policy.yaml)
|
|
- Log all RBAC-related events (role creation, binding changes)
|
|
- Alert on ClusterRoleBinding creation/modification
|
|
- Monitor for privilege escalation attempts
|
|
- Regular review of who has cluster-admin access
|
|
|
|
## Security Controls
|
|
| Control | NIST 800-53 | Description |
|
|
|---------|-------------|-------------|
|
|
| Access Control | AC-3 | RBAC enforcement |
|
|
| Least Privilege | AC-6 | Minimum necessary Kubernetes permissions |
|
|
| Account Management | AC-2 | Service account lifecycle |
|
|
| Audit | AU-3 | Kubernetes audit logging |
|
|
| Separation of Duties | AC-5 | Namespace isolation |
|
|
|
|
## Common Pitfalls
|
|
- Granting cluster-admin to CI/CD pipelines
|
|
- Using wildcard (*) verbs or resources in ClusterRoles
|
|
- Not restricting pods/exec which allows container shell access
|
|
- Leaving default service account with broad permissions
|
|
- Not auditing who can create RoleBindings (privilege escalation vector)
|
|
|
|
## Verification
|
|
- [ ] All users authenticate via OIDC (no static tokens/certs)
|
|
- [ ] No unnecessary ClusterRoleBindings to cluster-admin
|
|
- [ ] Developers limited to their assigned namespaces
|
|
- [ ] Service accounts use least-privilege roles
|
|
- [ ] automountServiceAccountToken disabled by default
|
|
- [ ] Audit logging captures RBAC changes
|
|
- [ ] `kubectl auth can-i` validates expected permissions per persona
|