Do you want to enforce Least Privilege Principle to k8s Api Server?
Thodoris Velmachos
Posted on December 5, 2022
Hello, in this tutorial I will describe the steps needed to be followed in order to provide access to the Kubernetes Clusters easier in more controlled way by leveraging Kubernetes RBAC in order to Fine Grain the assigned permissions to k8s users i.e Development Teams.
Teleport in the rescue, let's Dive in...
Prerequisite Steps:
A Teleport Instance, please see the following links:
- https://goteleport.com/docs/kubernetes-access/getting-started/
- https://goteleport.com/docs/deploy-a-cluster/open-source/
- https://dev.to/tvelmachos/teleport-database-access-management-4b53
Lets proceed with the next steps.
On the k8s Cluster lets create a Service Account a Cluster Role and a Cluster Role Binding.
# The imperative way
cat << EOF | kubectl delete -f -
apiVersion: v1
kind: ServiceAccount
metadata:
name: developers-view-sa
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: developers-view-cr
rules:
- verbs: ["get", "list", "watch"]
resources:
- namespaces
- services
- endpoints
- pods
- deployments
- configmaps
- jobs
- cronjobs
- daemonsets
- statefulsets
- replicasets
- persistentvolumes
apiGroups: ["","apps","batch"]
- verbs: ["get", "list", "watch"]
resources:
- pods/portforward
- svc/portforward
apiGroups: [""]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: developers-view-rb
namespace: default
subjects:
- kind: ServiceAccount
name: developers-view-sa
namespace: default
roleRef:
kind: ClusterRole
name: developers-view-cr
apiGroup: rbac.authorization.k8s.io
EOF
Finally, you need to create a Role and assign it to the members of your Development team, personally I prefer to leverage Github SSO in order to avoid creating manually the Users see the following link: - https://goteleport.com/docs/kubernetes-access/controls/.
Login to the Web Portal go to Team and then to Auth Connectors and create an Auth Connector.
kind: github
metadata:
name: github
spec:
client_id: xxxxxxxxxxxxxxx
client_secret: xxxxxxxxxxxxxxx
display: GitHub
endpoint_url: ""
redirect_url: https://<domain>/v1/webapi/github/callback
teams_to_logins:
- logins:
- access
- <k8s-role> i.e kube-dev-access
organization: <GithubOrg>
team: <GithubTeam>
teams_to_roles: null
version: v3
Then go to Roles and create an a new Role.
kind: role
metadata:
id: 1670274429591976402
name: kube-dev-access
spec:
allow:
kubernetes_groups:
- developers-view-cr
kubernetes_labels:
'*': '*'
kubernetes_users:
- system:serviceaccount:default:developers-view-sa
rules:
- resources:
- '*'
verbs:
- get
- list
- watch
deny: {}
options:
cert_format: standard
create_host_user: false
desktop_clipboard: true
desktop_directory_sharing: true
enhanced_recording:
- command
- network
forward_agent: false
max_session_ttl: 30h0m0s
pin_source_ip: false
port_forwarding: true
record_session:
default: best_effort
desktop: true
ssh_file_copy: true
version: v5
I hope you like the tutorial, if you do give a thumps up! and follow me in Twitter, also you can subscribe to my Newsletter in order to avoid missing any of the upcoming tutorials.
Media Attribution
I would like to thank Clark Tibbs for designing the awesome photo I am using in my posts.
Happy Teleporting, Thank you, Cheers!!!
Posted on December 5, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.