Wiz

Kubernetes Security

Service accounts management

Effective identity and access management is essential for securing Kubernetes workloads and enabling seamless interaction with cloud resources. This module covers critical practices and tools for managing Service Accounts and Workload Identities, empowering teams to enhance security while minimizing risk. 

Key Concepts and Tools 

ServiceAccount: 

  • A Kubernetes account that provides an identity for processes within Pods to authenticate and interact with the API server. ServiceAccounts are: 

  • Namespaced and lightweight, making them ideal for specific tasks. 

  • Configurable with Roles or ClusterRoles through bindings to enforce least privilege. 

  • Used with bound tokens for dynamic and secure authentication tied to API objects. 

Workload Identities (Identity Federation): 

A secure mechanism for Kubernetes workloads to access external cloud services (e.g., AWS, GCP, Azure) without embedding credentials. By mapping Kubernetes ServiceAccounts to cloud-native identities, organizations can: 

  • Leverage IAM policies for precise access control

  • Reduce the risk of credential leaks

  • Streamline management across multi-cloud environments

Additionally, it is important to address the complexity of the cloud identity control plane (e.g., AWS IAM) and the Kubernetes identity control plane, which has seen significant evolution in handling workload identities, particularly in Amazon EKS. 

A notable progression includes: 

  • Instance Profiles: Coarse-grained access management at the host level. 

  • Proxy Roles (kube2iam): Introduced proxy roles that rely on host networking but require trust in third-party components. 

  • IRSA (IAM Roles for Service Accounts): AWS's v1 solution for fine-grained access at the pod level. 

  • Pod Identity (IRSA v2): The latest iteration, enabling short-lived, scoped access directly from Kubernetes pods to cloud resources (e.g., S3, RDS). 

This evolution has allowed Kubernetes environments to unify control planes across platforms like AWS while maintaining portable Kubernetes manifests and leveraging Infrastructure-as-Code (IaC) tools such as Pulumi for streamlined provisioning of both workloads and identities. 

Best Practices for Service Accounts Management 

  • Enforce least privilege: Assign minimal permissions necessary for workloads using RoleBindings or ClusterRoleBindings. 

  • Adopt bound tokens: Use tokens tied to specific API objects for enhanced security and dynamic lifecycle management. 

  • Enable identity federation: Map ServiceAccounts to cloud IAM policies for secure external resource access without static credentials. 

  • Regularly audit usage: Monitor and manage ServiceAccount activity to ensure compliance and prevent misuse. 

By understanding ServiceAccounts, adopting identity federation practices, and leveraging modern advancements in cloud identity management, teams can confidently secure workloads, prevent unauthorized access, and optimize IAM strategies in Kubernetes environments. 

Kubernetes RBAC and IAMSecrets management