Pods to communicate with namespaces with the label `network: green`. • Applies to all pods in the blue namespace. • Affects both incoming and outgoing traffic. • For separation of duties, use RBAC to only allow network admins to create/modify namespaces and network policies. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-green namespace: blue spec: podSelector: {} # Match everything! policyTypes: - Ingress # Affects incoming traffic - Egress # Affects outgoing traffic ingress: - from: - namespaceSelector: matchLabels: network: green egress: - to: - namespaceSelector: matchLabels: network: green
do what”) • (Cluster)RoleBindings: ◦ Matches users, groups and service accounts to (Cluster)Roles (the “who”) • Scope: ◦ Roles and RoleBindings only work within a namespace ◦ ClusterRoles and ClusterRoleBindings work at the cluster level ◦ Possible to mix, e.g. ClusterRole + RoleBinding • Privilege escalation prevention ◦ Prevent users from giving more privileges than they already have Role based access control - RBAC
be created, updated or patched. • The RoleBinding DeveloperDeployer binds the Role to user Dev. This simply means that user Dev is allowed to create, update and patch Deployments in the default namespace. apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: Deployer namespace: default rules: - apiGroups: [""] # "" indicates the core API group resources: ["deployments"] verbs: ["create", "update", "patch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: DeveloperDeployer namespace: default subjects: - kind: User name: Dev # Name is case sensitive apiGroup: rbac.authorization.k8s.io roleRef: kind: Role # this must be Role or ClusterRole name: Deployer # must match name of the (Cluster)Role apiGroup: rbac.authorization.k8s.io
$ kubectl create role test --verb=get,list,create,delete,patch,update --resource=rolebindings $ # Bind user lennart to the role $ kubectl create rolebinding test --role=test --user=lennart $ # Try to grant admin privileges to lennart while impersonating lennart $ kubectl create rolebinding hack --clusterrole=admin --user=lennart --as=lennart Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io "hack" is forbidden: user "lennart" (groups=["system:authenticated"]) is attempting to grant RBAC permissions not currently held: ... Privilege escalation prevention
must have permission to “use” the PSP • Who creates the pod? Who needs to use the PSP? • What can we control? ◦ User ID of container processes ◦ Privileged mode ◦ Volume mounts ◦ SELinux ◦ AppArmor PodSecurityPolicies - What can Pods do?
The Deployment holds a reference to a ServiceAccount. ◦ Defaults to “default”, which is automatically created in every namespace. • Kubernetes uses a ServiceAccount to create a ReplicaSet for the current version of the Deployment. • Kubernetes uses a ServiceAccount to create Pods for the ReplicaSet. • Pods act through their ServiceAccounts and must be able to use a PSP matching their configuration. • The ServiceAccount referred to in the Deployment must be able to run the Pods. Who creates the Pod?