Add Authorization in Kubernetes Hardening Guide #43623
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,60 @@ | ||||||
| --- | ||||||
| title: Hardening Guide - Authorization | ||||||
| description: > | ||||||
| Information on authorization options in Kubernetes and their security properties. | ||||||
| content_type: concept | ||||||
| weight: 90 | ||||||
| --- | ||||||
|
|
||||||
| <!-- overview --> | ||||||
|
|
||||||
| Authorization in the Kubernetes ecosystem means specifying the privileges/permissions for a particular Kubernetes resource. Defining a proper authorization policy is an important step in preventing unauthorized access to clusters or privilege escalation attacks. | ||||||
|
|
||||||
| Kubernetes offers multiple ways to enforce permissions which are represented by various authorization modes and modules - [ Node authorization](/docs/reference/access-authn-authz/node/), [ABAC](/docs/reference/access-authn-authz/abac/), [Webhook](/docs/reference/access-authn-authz/webhook/), [RBAC](/docs/reference/access-authn-authz/rbac/). Using the RBAC mode is the most standard way of designing permissions for cluster users and the workloads. We can set the authorization mode using the `--authorization-mode` flag in the API server. | ||||||
|
|
||||||
| A proper authorization design helps in reducing the blast radius of any kind of attack. | ||||||
|
|
||||||
| <!-- body --> | ||||||
|
|
||||||
| ### Role based access control(RBAC) | ||||||
|
|
||||||
| RBAC mode is a way to control access to cluster resources based on the roles of individuals within anorganization. It is the most important authorization method for both developers and admins in Kubernetes. | ||||||
|
|
||||||
| It is used to restrict access for user accounts and service accounts. To check if RBAC is enabled in a cluster using `kubectl`, execute `kubectl api-version`. Enable the RBAC mode by setting `--authorization-mode` flag to RBAC in the `kube-apiserver` command line. | ||||||
|
|
||||||
| ``` | ||||||
| kube-apiserver --authorization-mode=RBAC | ||||||
| ``` | ||||||
|
|
||||||
| ### Least privilege principle | ||||||
|
|
||||||
| When designing authorization policies, it is imperative to adhere to the principle of least privilege. This principle states that every user or entity should only possess the essential privileges or rights necessary to access a specific resource. This principle can be implemented effectly by following measures :- | ||||||
|
|
||||||
| - Each group should be granted access only to the resources essential for its operations. Groups must not have permission to view or modify resources belonging to other groups. | ||||||
| - Users, user groups, and service accounts should be limited to interacting with and accessing resources within predefined namespaces. This ensures a focused and controlled access scope. | ||||||
| - It is crucial to refrain from using the AlwaysAllow value in the --authorization-mode flag. This value effectively disables all authorization modes, compromising the ability to enforce the principle of least privilege. | ||||||
| - Assigning rights using the `system:masters` group should always be avoided, as it possesses hardcoded cluster-admin rights. These rights cannot be revoked due to their hardcoded nature in the source code. Users with `system:masters` rights will always have administrative privileges. The groups who genuinely require cluster-admin rights should be provided a binding to the cluster-admin clusterrole. | ||||||
|
|
||||||
| ### Resources to restrict to prevent privilege escalation | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| To prevent privilege escalation, specific measures should be taken to restrict access to critical resources within the Kubernetes environment: | ||||||
|
|
||||||
| - *etcd*: A crucial component storing state information and cluster Secrets, requires careful access control. Roles should be defined for users with access limited to specific keys to prevent unauthorized access, safeguarding the entire cluster. | ||||||
|
There was a problem hiding this comment. Make it clear that these aren't roles in the RBAC sense |
||||||
|
|
||||||
| - *kubelet*: The primary node agent operating on every node, necessitates secure configuration. The kubelet service should run with --anonymous-auth=false to enhance security. The node/proxy right should be granted judiciously, ensuring only necessary users have access to the Kubelet API and preventing evasion of Kubernetes admission control. | ||||||
|
There was a problem hiding this comment.
|
||||||
|
|
||||||
| - *Kubernetes Dashboard* : a web-based UI for cluster interaction, poses a security risk if accessed by attackers. Users with elevated access to the dashboard can exploit vulnerabilities, including opening shell connections to pods and viewing Secrets. In the cluster role, grant users read-only permission to the dashboard, minimizing write access to mitigate the risk of cryptojacking attacks. | ||||||
|
There was a problem hiding this comment. Ideally, reword this to be good advice whether or not the cluster in question uses Kubernetes RBAC. |
||||||
|
|
||||||
| - *Kubernetes Secret* : An object containing sensitive information like passwords and tokens, demand controlled access. Unrestricted access to Secrets should be avoided to limit exposure to potential attackers. Admission controllers should be used to restrict access to only for necessary components. | ||||||
|
|
||||||
| - *Kubernetes API* : It is an HTTP API for querying and modifying cluster objects, is critical for communication. Unrestricted access to the API poses risks, including resource modifications, data breaches, and potential cluster takeovers. Implement RBAC policies with minimal verbs, ensuring that users have only the necessary permissions to interact with the Kubernetes API securely. | ||||||
|
There was a problem hiding this comment. Ideally, reword this to be good advice whether or not the cluster in question uses Kubernetes RBAC. |
||||||
|
|
||||||
| ### Admission controllers | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| You can extend the built-in RBAC policies using the validation admission webhooks to strengthen the authorization design. | ||||||
|
There was a problem hiding this comment. This is poor advice; if you want custom authz, you should use an authorization callout: https://kubernetes.io/docs/reference/access-authn-authz/webhook/ |
||||||
| A Kubernetes admission controller is a component of code that analyzes requests made to the Kubernetes API server and decides whether to approve them or deny them. The request gets evaluated after it has been verified and authorized by the API server before it is granted and implemented. | ||||||
| This is an optional feature that may only be required for large-scale clusters or where complex security is required. They can be adjustable for many different user-specific scenarios and environments. There are many open source and commercial implementations from which organizations can choose and enforce their specific restrictions. | ||||||
|
|
||||||
| ### Auditing RBAC policies | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| As the application grows, the scope of the components expands, and the required permissions for certain resources also change. There is a high chance that any admin or developer might unknowingly give extra permission to any of the defined roles at any time. Regular reviews of the existing RBAC policies are required to check for and prevent such mistakes. There are open source tools available to audit the cluster's RBAC policies. | ||||||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.