could you please support me in understanding how to configure the NetworkPolicy in order to set rule, that only predefined user's role may have access for specific pod (or service)?
I have begun with Kubernetes and read "Kebernetes in action", but didn't found any description how to do it. In general, this request is Authorisation task and only solution (i suppose) is to apply some kind of CustomResourceDefinition and create my own controller for manage the behaviour of CustomNetworkPolicy. Am I on right way, or is there any appropriate solution?
My microservices current equipped with authorisation on application level, but i need to move this task on cluster level. One of a reason is, i.e. I can orchestrate access of users without to change the source code of microservices.
I will be very thankful for some example or clarification
Using NetworkPolicy you can only manage the incoming and outgoing traffic to/from pods. For authorization, you can leverage service mesh which provides many more functionalities without changing your source code. The most famous one is istio (https://istio.io/docs/tasks/security/authorization/authz-http/), you can check more of them.
You could use RBAC to control your cluster access permissions.
This link show how you could use RBAC to restrict a namespace from a specific user.
It works perfectly if you need your pods have a limited access to other pods or resources. You could create a serviceAccount with defined permissions and link this account in your deployment, for example. See this link
References:
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
https://kubernetes.io/docs/reference/access-authn-authz/authorization/
Related
I want to make sure that a Network Policy exists when an Ingress is created / updated. CertManager spawns a Pod to get a ACME certificate for the URL when an Ingress is created and fails if no NetworkPolicy is defined.
Sadly I haven't found a way to access Network Policies for the Namespace the Ingress is created in.
You can do this by a custom admission-controller. I suggest this because OPA implements policy and compliance checking and therefore has the feature to implement the same, it might not come out of the box with functionality for dependency checking.
Since, the problem you have, however, is more of a workflow/dependency problem. You want to ensure resource creation/deletion enforcement based on dependency resolution. This is best done through a custom admission-controller. This will have the ability to query your API server to get information about existing resources before allowing certain requests to be passed to it. You can read more about admission-controllers here in the k8s docs.
Is it possible to configure k8s in a way that empty secrets are not possible?
I had a problem in a service that somewhat the secret got overwritten with an empty one (zero bytes) and thereby my service malfunctioned. I see no advantage of having an secret empty at any time and would like to prevent empty secrets all together.
Thans for your help!
While it's not a simple answer to implement, as best I can tell what you are looking for is an Admission Controller, with a very popular one being OPA Gatekeeper
The theory is that kubernetes, as a platform, does not understand your business requirement to keep mistakes from overwriting Secrets. But OPA as a policy rules engine allows you to specify those things without requiring the upstream kubernetes to adopt those policies for everyone
An alternative is to turn on audit logging and track down the responsible party for re-education
A further alternative is to correctly scope RBAC Roles to actually deny writes to Secrets except for those credentials that are known to be trusted
I have an application that is going to monitor and if necessary scale other resources. At the moment I am using the cluster-admin tokens for it to access the k8s api but I want to limit its access to just monitor and scale.
I know that I need to use Role and Rolebinding for this but I have two questions:
Can I use just one user and bind it to a role in different namespaces? I need to run multiple instances of my application in different namespaces on a cluster
Is there a way to create a new k8s user via yaml file and use that to bind the role?
At the end if I am using a wrong approach please let me know because I am somehow newbie in RBAC.
You seem to have the right approach.
Have a look at the documentation: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
From experience always leave resources that are linked inside the same namespace, one user with one clusterrole and rolebinding.
Still in the case of rolebinding, they are not namespaced so you should be able to bind one user by namespace to a single clusterrole. Never tested it myself so you will have to do some testing.
There is still the question of why not just create a single app, with a serviceaccount having access to all namespaces and so one app deployed in a namespace will be able to access all the resources it needs to managed in all the cluster?
I am currently setting up a cluster for a team. I've setup a hierarchial role based authentication. I've used the Kuberentes role API to define the roles. However, you can only restrict the CRUD operations for the roles.
How can I limit resources like cpu or memory based on roles?
EDIT:
Seems like there is no way to do that directly. Namespaces would have to be created for each role and then ResourceQuotas will have to be applied on them.
I think you need to use Resource Quotas Policy in Kubernetes.
Refer to this link - Resource Quotes
Create different namespace for each team. you should be using ResourceQuota to limit the resources at namepsace level.
Follow the link for help --> ResourceQuota in Kubernetes
I was doing some research, but could not really find an answer in the K8s documentation. Is it possible to orchestrate that certain pods in a Kubernetes cluster have access to other certain resources outside of the cluster without giving the permissions to the whole cluster?
For example: A pod accesses data from Google storage. To not hard code some credentials I want it to be able to access it via RBAC/IAM, but on the other hand I do not want another pod in the cluster to be able to access the same storage.
This is necessary as users interact with those pods and the data in the storages have privacy restrictions.
The only way I see so far is to create a service account for that resource and pass the credentials of the service account to the pod. So far I am not really satisfied with this solution, as passing around credentials seems to be insecure to me.
Unfortunately, there is only one way to do this, and you wrote it looks insecure for you. I found an example in documentation and they use the way where you store credential of service account in secret and then use it in pod from secret.