Skip to content

Role based Access

Kubernetes RBAC is a critical security control to ensure that users and workloads only have access to resources required to execute their roles. By default, users being that are allocated a namespace are automatically locked down with permissions at the namespace level only (i.e. using RoleBindings). This control ensures that the users have rights only within the specific namespace and do not have the ability to perform any cluster level commands.

# Primary Threat Vector Default Policy
1 Ensure that tenants can only see and operate on resources inside their assigned namespace/virtual cluster ENFORCED

For all namespaces assigned to tenants, the users are automatically mapped to a "Role" with permissions limited to their namespace on the host cluster. For Virtual Clusters, the tenant/user is automatically mapped to a "ClusterRole" for the virtual cluster. Note that although the virtual cluster is operating inside a namespace (with a role) in the host cluster, the user is not provided access to the namespace itself.

Note

Learn more about Roles and SSO via Identity Provider

Why is it needed?

Role-Based Access Control (RBAC) is required because of the following reasons:

Security and Access Management

  • Fine-Grained Permissions: RBAC allows administrators to define granular access controls, ensuring that users, applications, and services have only the permissions they need to perform their tasks—no more, no less. This principle of least privilege minimizes the risk of unauthorized actions.
  • User Authentication and Authorization: RBAC helps in authenticating users and authorizing their actions based on their roles, preventing unauthorized access to sensitive resources within the Kubernetes cluster.

Multi-Tenancy Support

  • Isolated Environments: In a multi-tenant Kubernetes environment where multiple teams or organizations share the same cluster, RBAC helps isolate resources and operations between tenants. This prevents one team from inadvertently or maliciously accessing or modifying another team's resources.
  • Namespace-Specific Controls: RBAC allows for the application of different access controls to different namespaces, supporting environments where different teams or projects operate within their own isolated namespaces.

Compliance and Auditing

  • Regulatory Compliance: Many industries have strict regulations around access control and data handling. RBAC allows organizations to enforce these controls within their Kubernetes clusters, helping to meet compliance requirements.
  • Auditability: RBAC provides a clear and auditable record of who has access to what resources and what actions they are allowed to perform. This is critical for tracking changes, troubleshooting issues, and ensuring accountability.

Operational Efficiency

  • Centralized Management: RBAC centralizes access management, making it easier for administrators to define, modify, and manage permissions across a large and complex Kubernetes environment.
  • Scalability: As a Kubernetes cluster scales, the number of users and resources grows, making manual permission management impractical. RBAC provides a scalable way to manage access across many users and resources.

Protection Against Insider Threats

  • Minimizing Internal Risks: RBAC reduces the risk of insider threats by ensuring that users only have access to the resources they need to do their jobs. This limits the potential damage from accidental or malicious actions by insiders.
  • Role Segregation: By assigning roles based on specific job functions, RBAC helps enforce role segregation, ensuring that no single user has excessive control or access across the system.

Support for DevOps Practices

  • CI/CD Pipeline Security: In DevOps environments, where automation and continuous integration/continuous deployment (CI/CD) pipelines are common, RBAC ensures that automated processes have the necessary permissions to interact with Kubernetes resources without exposing unnecessary access.
  • Collaboration: RBAC facilitates collaboration between development, operations, and security teams by providing clear boundaries and permissions, ensuring that each team can work efficiently without compromising security.

In summary, RBAC is a critical component of Kubernetes that enhances security, supports multi-tenancy, ensures compliance, and improves operational efficiency by providing a flexible and scalable way to manage access to resources.