Wiz

Kubernetes Security

Identity & access management

Effective identity and access management (IAM) is critical for protecting Kubernetes environments. By implementing strong controls, you can limit access to sensitive resources, reduce the risk of unauthorized activity, and safeguard critical workloads. This module provides a comprehensive overview of IAM in Kubernetes, offering actionable strategies for practitioners to enhance access security and maintain compliance. 

The lessons in this section will explore: 

  • Kubernetes RBAC: Understand the fundamentals of Role-Based Access Control (RBAC) to define and enforce access permissions for users, groups, and service accounts within your Kubernetes clusters. 

  • Service Accounts Management: Learn best practices for securely managing Kubernetes service accounts, ensuring proper access for applications and system processes without unnecessary privileges. 

  • Secrets Management: Discover how to securely handle sensitive data such as API keys, passwords, and certificates in Kubernetes, minimizing exposure risks while maintaining accessibility for authorized users and applications. 

  • User Namespaces: Explore how user namespaces can be leveraged to isolate container processes and improve access control, adding another layer of security within multi-tenant Kubernetes environments. 

This module equips cloud security teams with the tools and knowledge needed to establish robust access controls for Kubernetes environments. With practical guidance and actionable insights, it prepares leaders to confidently train their teams and implement IAM strategies that reduce risks and align with security best practices. 

Additionally, IAM in Kubernetes cannot be discussed without addressing the complexity of the cloud identity control plane (e.g., AWS IAM) and the Kubernetes identity control plane. Kubernetes has evolved significantly in how it handles workload identities, especially in environments like Amazon EKS. 

A progression worth noting includes: 

  • Instance Profiles: Coarse-grained access management at the host level. 

  • Proxy Roles (kube2iam): Introduced proxy roles that rely on host networking but require trust in third-party components. 

  • IRSA (IAM Roles for Service Accounts): AWS's v1 solution for fine-grained access at the pod level. 

  • Pod Identity (IRSA v2): The latest iteration, enabling short-lived, scoped access directly from Kubernetes pods to cloud resources (e.g., S3, RDS). As of this writing, Pod Identities are the best practice to follow. 

This evolution has allowed Kubernetes environments to unify control planes across platforms like AWS while maintaining portable Kubernetes manifests and leveraging Infrastructure-as-Code (IaC) tools such as Pulumi. These advancements streamline the provisioning of both workloads and identities, improving security and operational efficiency. 

For a deeper dive into this topic, consider exploring this informative YouTube video

Threat detection and responseKubernetes RBAC and IAM