Pods to communicate with namespaces with the label `network: green`. • Applies to all pods in the blue namespace. • Affects both incoming and outgoing traffic. • For separation of duties, use RBAC to only allow network admins to create/modify namespaces and network policies. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-green namespace: blue spec: podSelector: {} # Match everything! policyTypes: - Ingress # Affects incoming traffic - Egress # Affects outgoing traffic ingress: - from: - namespaceSelector: matchLabels: network: green egress: - to: - namespaceSelector: matchLabels: network: green
do what”) • (Cluster)RoleBindings: ◦ Matches users, groups and service accounts to (Cluster)Roles (the “who”) • Scope: ◦ Roles and RoleBindings only work within a namespace ◦ ClusterRoles and ClusterRoleBindings work at the cluster level ◦ Possible to mix, e.g. ClusterRole + RoleBinding • Privilege escalation prevention ◦ Prevent users from giving more privileges than they already have Role based access control - RBAC
be created, updated or patched. • The RoleBinding DeveloperDeployer binds the Role to user Dev. This simply means that user Dev is allowed to create, update and patch Deployments in the default namespace. apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: Deployer namespace: default rules: - apiGroups: [""] # "" indicates the core API group resources: ["deployments"] verbs: ["create", "update", "patch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: DeveloperDeployer namespace: default subjects: - kind: User name: Dev # Name is case sensitive apiGroup: rbac.authorization.k8s.io roleRef: kind: Role # this must be Role or ClusterRole name: Deployer # must match name of the (Cluster)Role apiGroup: rbac.authorization.k8s.io
$ kubectl create role test --verb=get,list,create,delete,patch,update --resource=rolebindings $ # Bind user lennart to the role $ kubectl create rolebinding test --role=test --user=lennart $ # Try to grant admin privileges to lennart while impersonating lennart $ kubectl create rolebinding hack --clusterrole=admin --user=lennart --as=lennart Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io "hack" is forbidden: user "lennart" (groups=["system:authenticated"]) is attempting to grant RBAC permissions not currently held: ... Privilege escalation prevention
must have permission to “use” the PSP • Who creates the pod? Who needs to use the PSP? • What can we control? ◦ User ID of container processes ◦ Privileged mode ◦ Volume mounts ◦ SELinux ◦ AppArmor PodSecurityPolicies - What can Pods do?
The Deployment holds a reference to a ServiceAccount. ◦ Defaults to “default”, which is automatically created in every namespace. • Kubernetes uses a ServiceAccount to create a ReplicaSet for the current version of the Deployment. • Kubernetes uses a ServiceAccount to create Pods for the ReplicaSet. • Pods act through their ServiceAccounts and must be able to use a PSP matching their configuration. • The ServiceAccount referred to in the Deployment must be able to run the Pods. Who creates the Pod?
lentzi90
soudai
robhawkes
jmmastey
mongodb
eileencodes
denniskardys
erikaheidi
trishagee
kneath
lynnandtonic
scottboms
rasmusluckow
