10 Essentials for Kubernetes Access Control

Picture of a white building with a bright yellow door

1. Single Sign-On

Rather than relying on static passwords, which can raise a security risk, you can use single sign-on (SSO) authentication to access your Kubernetes cluster. Kubernetes offers the ability to use an OpenID Connect (OIDC) token to authenticate for SSO, which provides a user-friendly login experience. OIDC supports identity providers such as Salesforce, Azure AD, and Google, which will give you an access token, an ID token, and a refresh token. The ID token is a JWT that you can then use for authorization.

2. Audit Logging

The audit logging feature records all requests to the Kubernetes cluster. It captures the URL requested in the Kubernetes API server, which users or services made the request, when the request was made, from where it was made and to where, and why the request was approved or rejected. Audit logs store data in JSON Lines format and contain metadata in key-value pairs.

3. Role-Based Access Control

Role-based access control (RBAC) is used to add new users or groups to your Kubernetes cluster. By default, the admin configuration certificate file can’t be distributed to all users. By using RBAC, you can define which Kubernetes components can be accessed by which users and what activity they can perform with each component.

4. Policy Configuration

Kubernetes policies allow you to restrict resource usage and protect components from unauthorized access. Policies include resource quotas, pod security policies, and network policies.

5. Kubernetes Contexts

A kubeconfig file is used for authentication and authorization. Within that file, the kube-context contains the Kubernetes cluster (server URL and certificate authority data), username, and namespace. This type of file is created using RBAC or the managed Kubernetes provider.

7. Hardened Worker Node Access

Whenever you issue a command using kubectl, the worker node in the Kubernetes cluster will do the work for you. The control plane instructs the worker node based on the command, then stores the component state data in the etcd database. This means the pod will run only on the worker node.

8. External Secrets

Kubernetes secrets are used to store sensitive information such as passwords. However, the data is Base64 encoded by default, which is not sufficient to protect the application credentials.

9. Namespaces

Namespaces are used to isolate Kubernetes components. You can place components such as pods, services, or secrets in different namespaces based on your needs, even running database pods in one namespace and frontend application pods in another namespace.

10. Continuous Updates

Kubernetes releases a new version three times a year, and you should update your cluster each time. The new version will address any existing bugs and add new functionality. For instance, RBAC was added in Kubernetes version 1.6. If you are not continuously updating, then you won’t be able to use the latest features.

Conclusion

Kubernetes, while popular, is a complex platform and you must pay close attention to the user access you provide on your cluster. Not all users will need the same level of access permissions on all components. Ensuring specific user access will help you keep your cluster secure and ensure better transparency across your organization, as each team member will know their defined role in your Kubernetes application.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Loft Labs

Loft Labs

>> www.loft.sh << Build Your Internal Kubernetes Platform With Virtual Clusters, Namespace Self-Service & Secure Multi-Tenancy