Do you want to enforce Least Privilege Principle to k8s Api Server?

tvelmachos

Thodoris Velmachos

Posted on December 5, 2022

Do you want to enforce Least Privilege Principle to k8s Api Server?

Hello, in this tutorial I will describe the steps needed to be followed in order to provide access to the Kubernetes Clusters easier in more controlled way by leveraging Kubernetes RBAC in order to Fine Grain the assigned permissions to k8s users i.e Development Teams.

Teleport in the rescue, let's Dive in...

Prerequisite Steps:
A Teleport Instance, please see the following links:

Lets proceed with the next steps.

On the k8s Cluster lets create a Service Account a Cluster Role and a Cluster Role Binding.

# The imperative way
cat << EOF | kubectl delete -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: developers-view-sa
  namespace: default

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: developers-view-cr 
rules:
- verbs: ["get", "list", "watch"]
  resources: 
  - namespaces
  - services
  - endpoints
  - pods
  - deployments
  - configmaps
  - jobs
  - cronjobs
  - daemonsets
  - statefulsets
  - replicasets
  - persistentvolumes
  apiGroups: ["","apps","batch"]
- verbs: ["get", "list", "watch"]
  resources:
  - pods/portforward
  - svc/portforward
  apiGroups: [""]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: developers-view-rb
  namespace: default
subjects:
- kind: ServiceAccount
  name: developers-view-sa
  namespace: default
roleRef:
  kind: ClusterRole
  name: developers-view-cr
  apiGroup: rbac.authorization.k8s.io
EOF

Enter fullscreen mode Exit fullscreen mode

Finally, you need to create a Role and assign it to the members of your Development team, personally I prefer to leverage Github SSO in order to avoid creating manually the Users see the following link: - https://goteleport.com/docs/kubernetes-access/controls/.

Login to the Web Portal go to Team and then to Auth Connectors and create an Auth Connector.

kind: github
metadata:
  name: github
spec:
  client_id: xxxxxxxxxxxxxxx
  client_secret: xxxxxxxxxxxxxxx
  display: GitHub
  endpoint_url: ""
  redirect_url: https://<domain>/v1/webapi/github/callback
  teams_to_logins:
  - logins:
    - access
    - <k8s-role> i.e kube-dev-access
    organization: <GithubOrg>
    team: <GithubTeam>
  teams_to_roles: null
version: v3
Enter fullscreen mode Exit fullscreen mode

Then go to Roles and create an a new Role.

kind: role
metadata:
  id: 1670274429591976402
  name: kube-dev-access
spec:
  allow:
    kubernetes_groups:
    - developers-view-cr
    kubernetes_labels:
      '*': '*'
    kubernetes_users:
    - system:serviceaccount:default:developers-view-sa
    rules:
    - resources:
      - '*'
      verbs:
      - get
      - list
      - watch
  deny: {}
  options:
    cert_format: standard
    create_host_user: false
    desktop_clipboard: true
    desktop_directory_sharing: true
    enhanced_recording:
    - command
    - network
    forward_agent: false
    max_session_ttl: 30h0m0s
    pin_source_ip: false
    port_forwarding: true
    record_session:
      default: best_effort
      desktop: true
    ssh_file_copy: true
version: v5
Enter fullscreen mode Exit fullscreen mode

I hope you like the tutorial, if you do give a thumps up! and follow me in Twitter, also you can subscribe to my Newsletter in order to avoid missing any of the upcoming tutorials.

Media Attribution

I would like to thank Clark Tibbs for designing the awesome photo I am using in my posts.

Happy Teleporting, Thank you, Cheers!!!

💖 💪 🙅 🚩
tvelmachos
Thodoris Velmachos

Posted on December 5, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related