I want to be able to give certain users limited access to the cluster. The admin user is in the kube config but i want to give access to individual users like "bob" but only to just a certain namespace etc. Is the possible without using RBAC?
you will need to use ABAC authorization mode: https://kubernetes.io/docs/admin/authorization/abac/
Related
Is it possible to create a Kubernetes cluster admin without the ability to modify/read certain namespace and its content?
I am talking about subtracting certain permissions from existing role.
thanks.
To get the behavior you want you would need a set subtraction of cluster-admin role minus the rules that you have defined. It's not supported in K8s as of this writing.
If you need a custom role which has less permissions than a predefined role, it would be more clear to list those permissions rather than to list the inverse of those permissions.
I have a secret which contains very sensitive information.
I want to make sure that this secret can only be accessed by a certain service account and nobody else.
Using RBAC, I can tell which user can access which resources. But is there some way where I can tell that this secret can only be accessed by this user?
as far as i know , There is no straight forward way to get that info (might require write a script to that iterates through rolebindings & clusterrolebindings).
Recently found a plugin called kubectl who-can on kubectl-who-can that fetches those kind details with one command.
It is possible to get it done with Validating webhook where the API request fields are parsed and checked for matching users.
OPA can be used to do some heavy lifting.
I'm studying Kubernetes now, and have a question about Kubernetes Users. I learned how to create Users and how to limit access by Role, but when should I use it? For example, if a malicious user (not a k8s user, but an operating user) penetrates the k8s server, they can switch the administrator easily (if they can see .kube/config). In addition to that, if a user switches his or her user account and forgets to switch back, then another person who enters next can also use the first user's account. I doubt if I misunderstand the usage of k8s Users, but there seems to be no documents about why k8s prepared it. I assume that Users are only used for doing something from within pods, but if so, what's the difference between Users and Service Accounts?
Kubernetes has a very loose idea of a user. It knows that authentication is a thing, and that the output of that is a name and maybe some groups and tags. But really all it does it hand that info off to the authorization plugins to decide if a given request is allowed or not. ServiceAccounts are a specific object type because they generate you a JWT signed by the cluster, but there isn't a specific User type, that only exists within the context of your authentication plugin(s).
The Kubernetes Dashboard allows users to see all secrets, including their raw values with just a couple clicks. These secrets will likely contain very sensitive data, such as production database passwords and private keys.
How do you limit users of the Dashboard, so that they can't see the sensitive data?
This is a known issue and it is simply not officially supported at the moment - the Dashboard is a super-user level administration tool. This should not be the case forever, but more help is needed to get it there.
There are some workarounds discussed in that issue thread that work currently. Here are some notable quirks around them to be aware of beforehand:
Should the dashboard be under a dashboard user, and limited by that? If so, like Anirudh suggested you can neuter parts of the Dashboard and it will work fine and get 403s if they access the Secrets panel.
Should the dashboard be under a logged in user, and be limited to what that user can see? This means that kubectl proxy will be necessary without some browser plugin or MITM proxy to attach the needed auth to dashboard server calls but it is possible.
In Yii, there is an accessControl filter and a accessRules method that handle simple authorization to certain tasks. In my application, I have RBAC to authorize users into roles.
My question is should I use the accessControl filter and accessRules method in addition to RBAC or can I remove them and use RBAC exclusively?
You can make use of RBAC along with the accessRules() method by passing an array with the roles you want to check (of course, those roles need to be defined in your RBAC schema for it to work).
Further information on that: http://www.yiiframework.com/doc/api/1.1/CAccessControlFilter
Also you can use RBAC by its own, by calling Yii::app()->user->checkAccess() everytime you want to check if a user's got the permissions to access a resource, task or anything else.
I would recommend you to make use of accessRules + RBAC when you need to restrict access to controllers/actions according to user's roles, and use RBAC alone when it comes to a more granular access control.