188 lines
4.0 KiB
Markdown
188 lines
4.0 KiB
Markdown
# RBAC Patterns and Best Practices
|
|
|
|
## Common RBAC Patterns
|
|
|
|
### Pattern 1: Read-Only Access
|
|
```yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: read-only
|
|
rules:
|
|
- apiGroups: ["", "apps", "batch"]
|
|
resources: ["*"]
|
|
verbs: ["get", "list", "watch"]
|
|
```
|
|
|
|
### Pattern 2: Namespace Admin
|
|
```yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: namespace-admin
|
|
namespace: production
|
|
rules:
|
|
- apiGroups: ["", "apps", "batch", "extensions"]
|
|
resources: ["*"]
|
|
verbs: ["*"]
|
|
```
|
|
|
|
### Pattern 3: Deployment Manager
|
|
```yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: deployment-manager
|
|
namespace: production
|
|
rules:
|
|
- apiGroups: ["apps"]
|
|
resources: ["deployments"]
|
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["get", "list", "watch"]
|
|
```
|
|
|
|
### Pattern 4: Secret Reader (ServiceAccount)
|
|
```yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: secret-reader
|
|
namespace: production
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get"]
|
|
resourceNames: ["app-secrets"] # Specific secret only
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: app-secret-reader
|
|
namespace: production
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: my-app
|
|
namespace: production
|
|
roleRef:
|
|
kind: Role
|
|
name: secret-reader
|
|
apiGroup: rbac.authorization.k8s.io
|
|
```
|
|
|
|
### Pattern 5: CI/CD Pipeline Access
|
|
```yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: cicd-deployer
|
|
rules:
|
|
- apiGroups: ["apps"]
|
|
resources: ["deployments", "replicasets"]
|
|
verbs: ["get", "list", "create", "update", "patch"]
|
|
- apiGroups: [""]
|
|
resources: ["services", "configmaps"]
|
|
verbs: ["get", "list", "create", "update", "patch"]
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["get", "list"]
|
|
```
|
|
|
|
## ServiceAccount Best Practices
|
|
|
|
### Create Dedicated ServiceAccounts
|
|
```yaml
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: my-app
|
|
namespace: production
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: my-app
|
|
spec:
|
|
template:
|
|
spec:
|
|
serviceAccountName: my-app
|
|
automountServiceAccountToken: false # Disable if not needed
|
|
```
|
|
|
|
### Least-Privilege ServiceAccount
|
|
```yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: my-app-role
|
|
namespace: production
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["configmaps"]
|
|
verbs: ["get"]
|
|
resourceNames: ["my-app-config"]
|
|
```
|
|
|
|
## Security Best Practices
|
|
|
|
1. **Use Roles over ClusterRoles** when possible
|
|
2. **Specify resourceNames** for fine-grained access
|
|
3. **Avoid wildcard permissions** (`*`) in production
|
|
4. **Create dedicated ServiceAccounts** for each app
|
|
5. **Disable token auto-mounting** if not needed
|
|
6. **Regular RBAC audits** to remove unused permissions
|
|
7. **Use groups** for user management
|
|
8. **Implement namespace isolation**
|
|
9. **Monitor RBAC usage** with audit logs
|
|
10. **Document role purposes** in metadata
|
|
|
|
## Troubleshooting RBAC
|
|
|
|
### Check User Permissions
|
|
```bash
|
|
kubectl auth can-i list pods --as john@example.com
|
|
kubectl auth can-i '*' '*' --as system:serviceaccount:default:my-app
|
|
```
|
|
|
|
### View Effective Permissions
|
|
```bash
|
|
kubectl describe clusterrole cluster-admin
|
|
kubectl describe rolebinding -n production
|
|
```
|
|
|
|
### Debug Access Issues
|
|
```bash
|
|
kubectl get rolebindings,clusterrolebindings --all-namespaces -o wide | grep my-user
|
|
```
|
|
|
|
## Common RBAC Verbs
|
|
|
|
- `get` - Read a specific resource
|
|
- `list` - List all resources of a type
|
|
- `watch` - Watch for resource changes
|
|
- `create` - Create new resources
|
|
- `update` - Update existing resources
|
|
- `patch` - Partially update resources
|
|
- `delete` - Delete resources
|
|
- `deletecollection` - Delete multiple resources
|
|
- `*` - All verbs (avoid in production)
|
|
|
|
## Resource Scope
|
|
|
|
### Cluster-Scoped Resources
|
|
- Nodes
|
|
- PersistentVolumes
|
|
- ClusterRoles
|
|
- ClusterRoleBindings
|
|
- Namespaces
|
|
|
|
### Namespace-Scoped Resources
|
|
- Pods
|
|
- Services
|
|
- Deployments
|
|
- ConfigMaps
|
|
- Secrets
|
|
- Roles
|
|
- RoleBindings
|