4.0 KiB
4.0 KiB
RBAC Patterns and Best Practices
Common RBAC Patterns
Pattern 1: Read-Only Access
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: read-only
rules:
- apiGroups: ["", "apps", "batch"]
resources: ["*"]
verbs: ["get", "list", "watch"]
Pattern 2: Namespace Admin
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: namespace-admin
namespace: production
rules:
- apiGroups: ["", "apps", "batch", "extensions"]
resources: ["*"]
verbs: ["*"]
Pattern 3: Deployment Manager
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: deployment-manager
namespace: production
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
Pattern 4: Secret Reader (ServiceAccount)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: secret-reader
namespace: production
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames: ["app-secrets"] # Specific secret only
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: app-secret-reader
namespace: production
subjects:
- kind: ServiceAccount
name: my-app
namespace: production
roleRef:
kind: Role
name: secret-reader
apiGroup: rbac.authorization.k8s.io
Pattern 5: CI/CD Pipeline Access
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cicd-deployer
rules:
- apiGroups: ["apps"]
resources: ["deployments", "replicasets"]
verbs: ["get", "list", "create", "update", "patch"]
- apiGroups: [""]
resources: ["services", "configmaps"]
verbs: ["get", "list", "create", "update", "patch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
ServiceAccount Best Practices
Create Dedicated ServiceAccounts
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-app
namespace: production
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
template:
spec:
serviceAccountName: my-app
automountServiceAccountToken: false # Disable if not needed
Least-Privilege ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: my-app-role
namespace: production
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
resourceNames: ["my-app-config"]
Security Best Practices
- Use Roles over ClusterRoles when possible
- Specify resourceNames for fine-grained access
- Avoid wildcard permissions (
*) in production - Create dedicated ServiceAccounts for each app
- Disable token auto-mounting if not needed
- Regular RBAC audits to remove unused permissions
- Use groups for user management
- Implement namespace isolation
- Monitor RBAC usage with audit logs
- Document role purposes in metadata
Troubleshooting RBAC
Check User Permissions
kubectl auth can-i list pods --as john@example.com
kubectl auth can-i '*' '*' --as system:serviceaccount:default:my-app
View Effective Permissions
kubectl describe clusterrole cluster-admin
kubectl describe rolebinding -n production
Debug Access Issues
kubectl get rolebindings,clusterrolebindings --all-namespaces -o wide | grep my-user
Common RBAC Verbs
get- Read a specific resourcelist- List all resources of a typewatch- Watch for resource changescreate- Create new resourcesupdate- Update existing resourcespatch- Partially update resourcesdelete- Delete resourcesdeletecollection- Delete multiple resources*- All verbs (avoid in production)
Resource Scope
Cluster-Scoped Resources
- Nodes
- PersistentVolumes
- ClusterRoles
- ClusterRoleBindings
- Namespaces
Namespace-Scoped Resources
- Pods
- Services
- Deployments
- ConfigMaps
- Secrets
- Roles
- RoleBindings