Once users have authenticated to a Kubernetes cluster, a key security control is limiting what access they have to create and manage objects within the Kubernetes API. Allowing overly broad permissions to users or applications running in your cluster can easily allow attackers who gain access to those credentials to escalate their privileges in the cluster and get access to all the workloads running on it.

Kubernetes provides several mechanisms for authenticating users to control the rights they have; this chapter explores the most commonly used method, role-based access control (RBAC), including possible pitfalls and tools for auditing RBAC.

Kubernetes Authorization Mechanisms

Kubernetes provides multiple authorization mechanisms, which can be used to control what rights a user has. An important initial point to note is that where multiple authorization mechanisms are configured in a cluster, the rights provided to users will be the sum of all rights provided from each mechanism, so it is generally safer to configure a single authorization mechanism for each cluster.

These are the main modes that can be used for user authorization:

• ABAC

  Attribute-based access control (ABAC) is generally a legacy mechanism that uses JSON files held on the control plane nodes of the cluster to detail user permissions.

• Webhook

  With this authorization mechanism, the cluster defers the decision to an external service.

• AlwaysAllow

  This allows any ...