Chapter 10. Security

Running applications in Kubernetes comes with a shared responsibility between developers and ops folks to ensure that attack vectors are minimized, least-privileges principles are followed, and access to resources is clearly defined. In this chapter, we will present recipes that you can, and should, use to make sure your cluster and apps run securely. The recipes in this chapter cover the following:

  • The role and usage of service accounts

  • Role-based access control (RBAC)

  • Defining a pod’s security context

10.1 Providing a Unique Identity for an Application

Problem

You want to grant an application access to restricted resources at a fine-grained level.

Solution

Create a service account with specific secret access and reference it within a pod specification.

To begin, create a dedicated namespace for this and the following recipe called sec:

$ kubectl create namespace sec
namespace/sec created

Then, create a new service account called myappsa in that namespace and take a closer look at it:

$ kubectl create serviceaccount myappsa -n sec
serviceaccount/myappsa created

$ kubectl describe sa myappsa -n sec
Name:                myappsa
Namespace:           sec
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              <none>
Events:              <none>

You can reference this service account in a pod manifest, which we’re calling serviceaccountpod.yaml, as shown next. Notice that we are also placing this pod in the sec namespace:

apiVersion: v1
kind

Get Kubernetes Cookbook, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial