RBAC
Definition
Role-Based Access Control (RBAC) is a security paradigm used to restrict system access to authorized users based on their roles within an organization. It simplifies the management of permissions by associating roles with specific access rights and assigning users to these roles. This approach helps enforce the principle of least privilege, ensuring users have only the necessary access to perform their duties.
Secure Settings Example
# Kubernetes RBAC example
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: jane-doe
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
Insecure Settings Example
# Kubernetes RBAC example with overly permissive settings
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: admin-role
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: admin-binding
namespace: default
subjects:
- kind: User
name: john-doe
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: admin-role
apiGroup: rbac.authorization.k8s.io