0

I am currently facing the current situation. I want to give users access to individual namespaces, such that they can

  • create and deploy ressources with Helm charts (for instance, from Bitnami)

On the other hand the users are not supposed to

  • create/retrieve/modify/delete RBAC settings like ServiceAccounts, RoleBindings, Roles, NetworkPolicies
  • get hands on secrets associated to ServiceAccounts

Of course, the crucial thing is to define the best Role for it here. Likely, the following is not the best idea here:

apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role namespace: example-namespace rules: - apiGroups: ["*"] resources: ["*"] verbs: ["*"]

Hence, it would be great if you could come along with some sensible approach that the users can work on it as freely as possible, yet do not get hands on some more "dangerous" resources.

In essence, I want to follow the workflow outlined here (https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html). So what matters most is that individual users in one namespace, cannot read the secrets of the users in the same namespace, such that they cannot authenticate with the credentials of someone else.

Improve this question

2 Answers 2

Reset to default
1

In my opinion the following strategy will help:

  1. RBAC to limit access to service accounts of own namespace only.
  2. Make sure automountServiceAccountToken: false in secret and POD level using policies. This helps in protecting secrets when there is a node security breach. The secret will only be available for execution time and will not be stored in the POD.

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server

  1. Encrypt secrets stored in ETCD using kms(recommended). But if you dont have a kms provider then you can also choose other providers to ensure minimum security.

https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#providers

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Thanks Rajesh for your input. Could you make some resources code examples, such that I could try it out?
Hi Rajesh, I updated my question with some additional paragraph at the very bottom of it. Is that possible to achieve somehow? If so, could you tell me how?
This answer looks precise in connection with documentation. I don't think it's possible to restrict secrets in one namespace between different service accounts since secret is a namespaced object. Hence one namespace for one service account where SA will have access to any secrets within.
@moonkotte But the secrets can be encrypted in such a way that other users cannot read it? I am sorry if I am asking a basic question, I am just quite inexperienced with these matters.
@tobias Maybe using some 3rd party tools, but not with native k8s features.
0

Sound like the ClusterRole edit would almost fit your needs. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles

It will allow access to secrets "However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace."

Improve this answer

8 Comments

Thanks for your input, you are right. However, it seems that other users can see the secrets associated to a ServiceAccount of another user, which would result in some security issue. Hence, is there a way to bypass that issue?
You could just separate them into different namespaces?
Well there are many users supposed to work on the same namespace and project. But they should have different credentials, such that when I remove the account of one user he cannot work on it anymore, but the others are unaffected. If all users can see the secrets associated to each other user's ServiceAccount, then he can store it and use the other's credentials even after being removed himself.
But would you not always need to be able to manage the ServiceAccount used by the Pod your working with? Or who creates the ServiceAccount in the first place?
Well, I will create the ServiceAccount for each user. My only requirement is, that they cannot get the secrets of the other users, even in the same namespace, such that they cannot later access the cluster even after I deleted that specific user. Is that possible?
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.