Simplify Kubernetes resource access control using RBAC impersonation

Click for: original source

In this tutorial, authors propose a way to “mimic” group memberships - which can be either by team, project or any other aggregation you may need - using stock Kubernetes authorization features. By Juanjo Ciarlante @cncf.

As Kubernetes group membership is handled externally to the API itself by an Identity Provider (IdP), the cluster administrator needs to interact with the Identity Provider administrator to setup those group memberships, making the workflow potentially cumbersome.Identity Providers may not provide group membership at all, forcing the cluster administrator to handle access on a per-user basis, i.e. Kubernetes RoleBindings containing the “full” list of allowed end-users.

Overview of Kubernetes Authorization and RBAC

Source: https://www.cncf.io/blog/2020/09/17/simplify-kubernetes-resource-access-control-using-rbac-impersonation/

The article then does a good job explaining:

  • Assumptions and prerequisites
  • Overview of Kubernetes authentication
    • ServiceAccounts (SAs)
    • Users (external Personas or Bot users)
  • Overview of Kubernetes Authorization and RBAC
  • Using impersonated “virtual-users” to control access
  • A working example with RBAC rules

… and much more. Extensive and detailed article useful for anybody working with Kubernetes. Great read!

[Read More]

Tags cio devops kubernetes containers software-architecture