RBAC in Kubernetes

Questions and Answers

Which of the following flags can be used to enable RBAC in the Kubernetes API server?

--authorization-config (correct)

--enable-rbac

--authorization-mode (correct)

--rbac-enabled

RBAC allows you to define 'deny' rules for access control.

False (B)

What are the four kinds of Kubernetes objects declared by the RBAC API?

Role, ClusterRole, RoleBinding, ClusterRoleBinding

A ______ always sets permissions within a particular namespace, while a ______ is a non-namespaced resource.

Role, ClusterRole

Match the following RBAC objects with their primary function:

Role = Defines permissions within a single namespace ClusterRole = Defines permissions across all namespaces RoleBinding = Assigns a Role to a user or group within a namespace ClusterRoleBinding = Assigns a ClusterRole to a user or group across all namespaces

You can use kubectl to create and manage RBAC objects.

True (A)

What is the purpose of a RoleBinding?

To grant the permissions defined in a Role to a user or group.

Which of these resources can be read by default in the 'core' API group?

Pods (B)

A RoleBinding can bind a role to groups, users, or ServiceAccounts.

True (A)

What is the prefix reserved for group names in Kubernetes?

system:

The API server automatically updates default ______ and ______ with any missing permissions and subjects.

The command kubectl auth reconcile is used to create and manage role bindings.

True (A)

Which of the following commands would grant the permissions in the "view" ClusterRole to a service account named "myapp" in the namespace "acme" across the entire cluster?

kubectl create rolebinding acme-myapp-view-binding --clusterrole view --serviceaccount acme:myapp (A)

What is the purpose of bootstrapping initial roles and role bindings?

To grant permissions to the initial user who doesn't have them yet, allowing them to set up subsequent roles and bindings.

Default RBAC policies in Kubernetes v1.22 or later grant no permissions to service accounts outside the ______ namespace.

kube-system

Which of the following is considered the most secure way to grant permissions to an application in Kubernetes?

Grant a role to an application-specific service account (C)

When running Kubernetes with both RBAC and ABAC authorizers, if RBAC denies a request, the ABAC authorizer will then be consulted.

True (A)

Which of the following is NOT a common way to grant permissions to ServiceAccounts?

Grant a role to a specific group of users (A)

What is the purpose of the command kubectl create rolebinding myappnamespace-myapp-view-binding --clusterrole view --serviceaccount myappnamespace:myapp?

To grant "view" ClusterRole permissions across the entire cluster to the service account "myapp" in the namespace "myappnamespace".

Match the following Kubernetes terms with their definitions:

Role = Defines a set of permissions that can be granted to users, groups, or service accounts RoleBinding = Associates a Role or ClusterRole with a user, group, or service account ClusterRole = Defines a set of permissions that applies to all namespaces in the cluster ServiceAccount = An account that represents an application within a namespace Subject = The entity that will be granted a role (e.g., user, group, service account)

In order from most secure to least secure, the approaches to granting permissions to ServiceAccounts are: ______, grant a role to all service accounts in a namespace, grant a cluster-wide role to all service accounts, and grant super-user access to all service accounts.

Grant a role to an application-specific service account

Kubernetes clusters created with Kubernetes v1.22 or later include write access to Endpoints in the aggregated "edit" and "admin" roles by default.

False (B)

What is the primary benefit of using fine-grained role bindings?

Enhanced security by limiting unnecessary access to API resources.

Which of the following is NOT a typical method for managing the transition from permissive ABAC policies to RBAC policies?

Granting cluster-admin permissions to all service accounts (B)

The command kubectl create rolebinding myappnamespace-myapp-view-binding --clusterrole view --serviceaccount myappnamespace:______ would grant the "view" ClusterRole permissions across the entire cluster to the service account "myapp" in the namespace "myappnamespace".

myapp

Kubernetes clusters created before v1.22 included write access to EndpointSlices in the aggregated "edit" and "admin" roles.

True (A)

What is the significance of running the kube-apiserver with a log level of 5 or higher for the RBAC component?

It enables you to view RBAC denial messages in the server logs, which can be used to determine what roles need to be granted.

What is the prefix for group names in Kubernetes?

system: (D)

ServiceAccounts belong to groups with names prefixed with 'system:serviceaccounts:'.

True (A)

What are the two types of RBAC objects that bind a role to subjects?

RoleBinding and ClusterRoleBinding

To prevent accidental modifications, the API server automatically updates default ______ and ______ with any missing permissions and subjects.

ClusterRoles, ClusterRoleBindings

What flag can be used in the API server configuration to disable anonymous unauthenticated access?

--anonymous-auth=false (C)

The 'system:node' role is essential for kubelet API access and should be used in modern Kubernetes deployments.

False (B)

Name a system: prefixed ClusterRole that is specifically designed for the Kubernetes controller manager.

system:controller:manager

When the kube-controller-manager is started with the flag ______, each controller runs using a separate ServiceAccount.

--use-service-account-credentials

Which of the following labels is used to identify a ClusterRole that can be added to the 'admin', 'edit', or 'view' roles?

kubernetes.io/role-aggregation (C)

The 'edit' role in Kubernetes allows for read/write access to all resources, including the ability to create Roles and RoleBindings.

False (B)

What resource does the 'admin' role NOT grant write access to?

EndpointSlices (or Endpoints)

The 'view' role does not allow reading ______ as it enables access to secrets and ServiceAccount credentials.

Secrets

Match the following roles with their primary function:

system:node = Legacy role for kubelet API access system:controller:manager = Core controller manager role admin = Read/write access to most resources in a namespace edit = Enhanced read access to all resources in a namespace view = Limited access to resources, providing read-only permissions

Which of the following statements regarding RoleBinding and ClusterRoleBinding is true?

A RoleBinding grants permissions within a specific namespace, while a ClusterRoleBinding grants permissions cluster-wide. (C)

A RoleBinding can reference a ClusterRole and bind that ClusterRole to the namespace of the RoleBinding.

True (A)

What is the purpose of the kubectl auth reconcile command-line utility?

The kubectl auth reconcile command-line utility is used to create or update a manifest file containing RBAC objects and handles deleting and recreating binding objects if required to change the role they refer to.

In Kubernetes, most resources are represented and accessed using a ______ representation of their object name.

string

Match the following RBAC concepts with their definitions:

Role = A set of permissions that can be granted to users, groups, or service accounts within a specific namespace. ClusterRole = A set of permissions that can be granted to users, groups, or service accounts across the entire Kubernetes cluster. RoleBinding = A mechanism for binding a Role to a specific user, group, or service account within a namespace. ClusterRoleBinding = A mechanism for binding a ClusterRole to a specific user, group, or service account across the entire Kubernetes cluster.

Which of the following is NOT a valid way to represent resources in an RBAC role?

Using a colon to delimit resource and subresource, e.g. pods:log for Pod logs (B)

The resourceNames list in an RBAC role can be used to restrict access to specific instances of a resource.

True (A)

What is the purpose of the wildcard (*) symbol in RBAC roles?

The wildcard (*) symbol in RBAC roles refers to all resources, apiGroups, and verbs.

Which of the following statements regarding ClusterRole aggregation is true?

ClusterRole aggregation combines multiple ClusterRoles into one combined ClusterRole. (C), ClusterRole aggregation can be used to create custom roles for specific resources. (D)

After creating a binding, its roleRef can be changed to reference a different role.

False (B)

The ______ defines a label selector that a controller uses to match other ClusterRole objects that should be combined into the rules field of this one.

aggregationRule

What is the principle of least privilege in the context of RBAC?

The principle of least privilege dictates that users, groups, or service accounts should only have access to the resources and permissions they need to perform their assigned tasks.

What is the purpose of the rules section in a Role or ClusterRole object?

To define the resources and verbs that the role grants access to. (B)

A RoleBinding with a namespace of "development" can grant cluster-wide read access for Secrets.

False (B)

A ______ can be used to grant cluster-wide access, while a ______ is used to grant access within a specific namespace.

Which of the following statements accurately describes the difference between a RoleBinding and a ClusterRoleBinding?

A RoleBinding grants permissions within a specific namespace, while a ClusterRoleBinding grants those permissions cluster-wide. (A)

A RoleBinding can reference a ClusterRole, and bind that ClusterRole's permissions to the namespace of the RoleBinding.

True (A)

The name of a [BLANK] or [BLANK] object must be a valid path segment name.

RoleBinding, ClusterRoleBinding

What is the primary purpose of the 'kubectl auth reconcile' command-line utility?

The 'kubectl auth reconcile' command-line utility is designed to help manage RBAC by creating or updating manifest files containing RBAC objects. It handles deleting and recreating binding objects if required to change the role they refer to. It can be used to align existing roles with any required permissions, making sure the system is secure and has the correct access control.

Match each Kubernetes resource with its corresponding subresource:

pods = log services = proxy secrets = status endpoints = subsets configmaps = data

You can use the wildcard symbol '*' to refer to all current and future resources in a specific API group.

True (A)

Which of the following statements BEST describes the principle of least privilege when applied to RBAC?

Granting users the minimal set of permissions needed to perform their tasks. (D)

What is the mechanism used to aggregate several ClusterRoles into one combined ClusterRole?

ClusterRole aggregation utilizes a 'aggregationRule' within a ClusterRole. This rule defines a label selector that a controller uses to locate and combine other ClusterRole objects that match the selector, effectively creating a unified ClusterRole with rules from multiple sources.

The default user-facing roles in Kubernetes leverage ClusterRole aggregation.

True (A)

To allow a subject to read pods and also access the [BLANK] subresource for each of those pods, you write: rules: - apiGroups: [''] - resources: ['pods', 'pods/______'] - verbs: ['get', 'list', 'watch']

log

How can you create a new ClusterRole that adds rules to an existing aggregated ClusterRole, like 'monitoring'?

By creating a new ClusterRole with a label that matches the existing aggregated ClusterRole's aggregation selector, then adding the new rules to the new ClusterRole. (D)

Explain the purpose of the 'resourceNames' list in an RBAC role.

The 'resourceNames' list within an RBAC role acts as a way to refine access control by restricting operations to specific instances of a resource. If this list is present, it allows access only to the named resource objects, limiting the overall scope of permissions granted.

You can use a wildcard (*) symbol to refer to all current and future resources in a specific API group, but this approach can lead to overly permissive access to sensitive resources.

True (A)

The [BLANK] principle should be employed while defining RBAC roles, ensuring only the necessary permissions are granted for workloads to function correctly.

least privilege

When using RBAC, which approach is generally considered the MOST secure way to grant permissions to an application running in Kubernetes?

Providing the application's ServiceAccount with a RoleBinding that grants the application only the specific permissions needed to function. (B)

Describe a situation where ClusterRole aggregation would be useful for managing RBAC in a Kubernetes cluster.

ClusterRole aggregation proves especially useful when managing different sets of related permissions for different workloads. For example, in a cluster hosting multiple microservices, you might create individual ClusterRoles for each service, granting them the specific permissions needed for their respective tasks. Then, you could combine these ClusterRoles into a larger, more general ClusterRole, perhaps named 'microservices' or 'application-roles', to simplify management and ensure all necessary permissions are accessible without needing to individually manage each ClusterRole during updates or changes.

Flashcards

RBAC

Role-based access control (RBAC) regulates access based on user roles.

Authorization Config

Starts the API server with roles and permissions defined in RBAC.

RBAC Objects

Includes Role, ClusterRole, RoleBinding, and ClusterRoleBinding in Kubernetes.

Role vs ClusterRole

A Role is namespace-specific while a ClusterRole is cluster-wide.

RoleBinding

Grants role permissions to users or groups in a specific namespace.

ClusterRoleBinding

Grants ClusterRole permissions to users or groups across all namespaces.

Permission Model

Permissions in RBAC are additive; there are no deny rules.

Role Example

A Role grants read access to pods in a specific namespace.

Deployments in apps API

Objects with 'deployments' in their URL for management in Kubernetes.

Roles in Kubernetes

Define permissions for users, groups, or ServiceAccounts in the cluster.

ServiceAccount

A special type of user account for processes running in a pod.

Default ClusterRoles

Predefined roles managed by the Kubernetes control plane.

Auto-reconciliation

Updates roles/permissions automatically to repair accidental changes.

ClusterRole

Role that grants permissions across the entire cluster.

API Server Configuration

Defines the behavior of Kubernetes API servers including role permissions.

Node authorizer

Manages API access for kubelets based on scheduled pods.

RBAC API

Provides granular control over user permissions in Kubernetes.

Creating roles

Possible only if you have permissions within the same scope.

NodeRestriction admission plugin

Enhances security by limiting kubelet permissions to pods they're scheduled for.

Viewing permissions

Can be done using kubectl to check roles and bindings.

RoleReference

Links a Role or ClusterRole to a RoleBinding.

Namespaces

Isolated environments to manage resources in Kubernetes.

pod-reader Role

Permits reading pods in a specific namespace.

Subject

Users, groups, or service accounts affected by a RoleBinding.

Wildcard (*)

Represents all objects of a resource type in RBAC.

AggregationRule

Defines how to combine ClusterRoles into one.

NonResourceURLs

Paths not related to Kubernetes resources accessed via RBAC.

RoleRef

Specifies which Role or ClusterRole a RoleBinding uses.

ResourceNames

Restricts access to specific instances of a resource.

Least Privilege Principle

Granting only the essential permissions needed.

Subresource

An additional endpoint for modifying part of a resource.

Admin Role

A role that grants full control over resources in a namespace.

View Role

A role that allows reading of resources in a namespace without making changes.

Bootstrap Permissions

Granting initial permissions required to set up roles and role bindings.

Fine-Grained Role Bindings

Specific role assignments to ServiceAccounts for enhanced security.

Cluster-Wide Role

A role that provides permissions to all namespaces in the cluster.

Super-User Access

Complete permissions, allowing full control over all resources.

Remove Extra Permissions

A command option to strip unnecessary permissions from roles.

Authorization Layers

Multiple systems that check if a request has permission to access specific resources.

ABAC Policies

Attribute-Based Access Control policies allowing flexible permission granting.

Kubernetes v1.22 Change

Mitigation for CVE-2021-25740; alters role permissions for security.

Study Notes

Role-Based Access Control (RBAC) in Kubernetes

• RBAC is a method for controlling access to Kubernetes resources based on user roles.
• Authorization decisions are driven by the rbac.authorization.k8s.io API group.
• RBAC policies are dynamically configurable via the Kubernetes API.
• Enabling RBAC involves starting the API server with the --authorization-config or --authorization-mode flags, specifying a RBAC authorizer.

RBAC Objects

• RBAC declares four object types:

  • Role: Namespaced permissions
  • ClusterRole: Cluster-wide permissions
  • RoleBinding: Grants a role to a subject within a namespace
  • ClusterRoleBinding: Grants a role to a subject cluster-wide

• Roles and ClusterRoles contain permissions (additive).

• Role permissions are namespace-specific, while ClusterRoles are cluster-wide.

• Object names must be valid path segment names.

RoleBindings and ClusterRoleBindings

• RoleBindings grant roles to subjects within a namespace.
• They can reference Roles or ClusterRoles.
• RoleBindings specify subjects (users, groups, service accounts).
• ClusterRoleBindings grant roles to subjects cluster-wide.
• Cannot change the referenced Role/ClusterRole after creation; removal and recreation required.

Resource and Subresource References

• RBAC uses the same resource names as API endpoints.
• Subresources (e.g., Pod logs) are delimited with a slash.
• ResourceNames can be used to restrict access to individual resource instances.
• Wildcards (*) can be used for all resources, verbs, or API groups (use cautiously, least privilege principle).

ClusterRole Aggregation

• ClusterRoles can be aggregated to combine multiple ClusterRoles into one.
• Aggregation is triggered by an aggregationRule that uses a label selector.
• Aggregated ClusterRoles dynamically incorporate new, matching ClusterRoles.

Default RBAC Policies

• Kubernetes includes default ClusterRoles and ClusterRoleBindings for core functionalities.
• Many are prefixed with system:.
• These default objects are dynamically updated by the API server to account for missing permissions/subjects and newly released permissions.
• The update process can be disabled using an annotation.
• Some roles (e.g., cluster-admin, admin, edit, view) are user-facing.
  • Can be extended via ClusterRole aggregation for custom resource.

RBAC Principles and Considerations

• RBAC prevents privilege escalation by controlling role/binding changes.
• Only create/update roles if permissions are already granted or bind permission is granted.
• Auto-reconciliation adjusts default roles for API changes.
• Disabling auto-reconciliation prevents overwriting of manually updated roles.

Service Accounts and Permissions

• Service Accounts represent processes and applications.
• They often inherit from a default service account in the kube-system namespace.
• Best practice for controlling access to applications/controllers.
• Fine-grained control is possible, but increased administration is required for multiple service accounts and roles.

Transitioning to RBAC

• Clusters using ABAC (Attribute-Based Access Control) can be transitioned.
• Running both RBAC and ABAC, then removing ABAC when RBAC works correctly is one method.

Important Notes

• Permissions are purely additive and there are no deny rules
• Permissions can be written to the core level in HTTP.
• Resources, and other components, must reference the exact name that appears on the relevant API endpoint URL.

Description

This quiz covers Role-Based Access Control (RBAC) in Kubernetes, focusing on its components such as Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings. Learn how these elements manage access to resources based on user roles and understand the API configurations necessary for RBAC implementation.