Detect real-time malicious behavior in Kubernetes clusters

Learn why CISOs at the fastest growing companies choose Wiz to secure their Kubernetes workloads.

Kubernetes RBAC Explained

Kubernetes role-based access control (RBAC) serves as a foundational security layer within Kubernetes. It is essential for regulating access to the K8s API and its resources, allowing organizations to define user roles with specific permissions to effectively control who can see or interact with what resources within a cluster.

7 minutes read

What is Kubernetes RBAC?

Kubernetes role-based access control (RBAC) serves as a foundational security layer within Kubernetes. It is essential for regulating access to the K8s API and its resources, allowing organizations to define user roles with specific permissions to effectively control who can see or interact with what resources within a cluster. Such a setup is vital for enforcing the principle of least privilege, where users have access only to those resources required for their specific role, thus minimizing potential breaches.

RBAC also facilitates granular governance over Kubernetes resources, which is critical for organizations to comply with various regulatory standards. By managing access rights, RBAC helps prevent unauthorized access and mitigate risks, forming a core component of Kubernetes security best practices.

According to Spectro Cloud’s recent report on Kubernetes, 56% of businesses manage more than 10 Kubernetes clusters, with 69% running these resources across multiple clouds or other environments. This widespread adoption is projected to increase, emphasizing the need for stringent security measures to manage the inherent complexities and vulnerabilities of such distributed systems​. 

By managing access rights, RBAC forms a core component of a robust Kubernetes security strategy.

RBAC’s critical role in your Kubernetes setup

In Kubernetes, a typical application's environment consists of nodes, pods, and services that manage the networking between these pods or external access to them. Each of these components must be properly secured so they don’t become a vulnerability.

Let's dive into how RBAC helps mitigate different types of risk that can plague your Kubernetes ecosystem.

Securing API access 

Kubernetes operates via an API, which is used for all operational commands—from launching new pods to adjusting network policies. If access to this API is not controlled, malicious actors could manipulate your Kubernetes operations, leading to potential data breaches or service disruptions. 

RBAC helps mitigate this risk by ensuring that only authorized users can execute certain actions on the API, based on their roles within your organization.

Minimizing insider threats

Not all security threats come from the outside; some are the result of insider actions, either malicious or accidental. Without RBAC, any user or application with access to your K8s cluster could potentially modify configurations, delete resources, or access sensitive information. 

RBAC enforces the principle of least privilege, ensuring users and applications only have access to the resources necessary for their specific functions; this reduces the risk of insider threats.

Meeting compliance requirements

Many regulatory frameworks require strict access controls and audit capabilities to make sure only authorized parties can use or modify sensitive information. 

RBAC helps you comply with these regulations by not only providing detailed access controls but also logging all operations, which can be crucial for audits.

Managing complex configurations 

As your Kubernetes environment grows, so does its complexity. Managing access rights without a structured approach like RBAC can become unwieldy and error-prone. 

RBAC provides a clear framework for defining, applying, and managing access policies; this is essential for maintaining order and security in complex environments.

Enhancing your security posture

Managing and restricting user permissions is a foundational best practice for securing your Kubernetes cluster. 

Without RBAC, you are essentially leaving your cluster open to potential misconfigurations and vulnerabilities that could be exploited by malicious actors. For instance, unrestricted access can lead to the deployment of unauthorized applications or configurations that may not comply with your security policies, opening up "grey zones" where security is ambiguous.

Moreover, lateral movement, where an attacker moves from one part of the network to another, can be significantly mitigated by implementing strict RBAC policies. If an attacker compromises one component of your K8s infrastructure, RBAC can still prevent them from accessing broader network resources, thus containing the breach and limiting damage.

RBAC isn't just about locking down your Kubernetes cluster; it's about creating a dynamic, responsive security environment where access is continuously evaluated and adjusted based on evolving threats and operational needs. By implementing RBAC, you are not only protecting your resources but also structuring your operations for scalability, compliance, and advanced security management.

Kubernetes security threats in the real world

Below, we discuss two real-world examples of K8s RBAC vulnerabilities leading to security breaches. These highlight the significant risks associated with misconfigured access controls. 

RBAC Buster

The attack campaign "RBAC Buster" involved hackers exploiting misconfigured Kubernetes API servers that accepted unauthenticated requests from anonymous users. The attackers then used this access to implement malicious RBAC policies, create backdoors, and deploy cryptocurrency mining operations within the compromised server. 

This incident serves as a stark reminder of the importance of strict RBAC configurations and the need for continuous security audits to identify and rectify potential vulnerabilities promptly.

Argo CD vulnerability

Another major incident involved a critical vulnerability in Argo CD, a popular application deployment tool used with Kubernetes. This vulnerability allowed unauthenticated users to bypass normal verification by exploiting flawed JWT handling, granting them the same access as admin users. With these elevated privileges, attackers could potentially execute arbitrary commands, alter configurations, or extract sensitive data from the Kubernetes cluster.

This breach not only underscores the criticality of securing service accounts and endpoints but also highlights the cascading effects of security lapses in interconnected tools and platforms within your K8s ecosystem.

Setting up basic Kubernetes RBAC

At the very minimum, you should set up RBAC controls on your Kubernetes cluster. So let's go through what that would look like, step by step.

Step 1: Enable RBAC on your Kubernetes cluster

Make sure your Kubernetes API server starts with the --authorization-mode flag including role-based access control. 

In Kubernetes, the --authorization-mode flag configures the authorization mechanisms that the API server should use. By including RBAC in this flag, you enable it as the method for controlling authorization decisions within your cluster.

Step 2: Define Roles and ClusterRoles

Roles are permissions assigned within a namespace. Use them to grant access to resources needed by users or pods operating within a single namespace.

Example:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

ClusterRoles are cluster-wide permissions. Use these for resources that need to be accessible across the entire cluster or for namespaces themselves.

Example:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: node-reader
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "watch", "list"]

Step3: Create RoleBindings and ClusterRoleBindings

RoleBindings are the mechanism through which the permissions specified in a Role are assigned to a user or group of users.

Example: Binding the pod-reader role to a user named Carl within the default namespace:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: carl
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

ClusterRoleBindings grant the permissions defined in a ClusterRole across the entire cluster.

Example: Binding the node-reader ClusterRole to all users in the group system:masters:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-nodes
subjects:
- kind: Group
  name: system:masters
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: node-reader
  apiGroup: rbac.authorization.k8s.io

By following these steps and examples, you can establish a foundational security model within your Kubernetes environment that controls who can do what. This is critical for the integrity and security of your applications and data within Kubernetes.

Best practices for Kubernetes RBAC

When you adopt RBAC best practices in Kubernetes, they not only enhance your security posture but also yield specific operational benefits. Let’s discuss how implementing these measures can impact your Kubernetes management.

Implement the principle of least privilege 

By granting the minimum permissions necessary, you avoid permissions being misused, either by accident or due to malicious intent. This focused access control helps prevent data breaches by making sure users and apps only access resources essential to their roles.

Regularly review and update permissions 

Keeping your permissions up to date as roles change within your organization helps avoid the security risks associated with over-privileged accounts. This proactive approach ensures that access rights are always aligned with current needs, minimizing the potential attack surface.

Use namespaces to limit scope

User namespace mapping between host and container user IDs

Namespaces act as virtual clusters within Kubernetes that contain resources for specific projects or teams. By limiting the scope of roles, namespaces help contain breaches within a confined environment, preventing them from spreading across your entire cluster. This isolation helps with damage control and simplifies management.

Audit and monitor RBAC events

Auditing and monitoring give you transparency into any changes in access patterns and thus possible security incidents. By logging and analyzing RBAC events, you can detect anomalies early and respond to unauthorized access attempts swiftly. This continuous oversight is crucial for adhering to security policies and regulatory demands.

Automate RBAC policies with policy as code

Automating RBAC using policy as code guarantees that a company’s security settings are used consistently throughout its ecosystem, without the risk of human error. Tools like Open Policy Agent (OPA) help enforce these policies dynamically, reducing the operational burden and enhancing compliance across your entire infrastructure.

Secure sensitive operations with additional checks

Implementing additional verification steps for sensitive operations safeguards against unauthorized changes that could impact cluster security. This layered security strategy prevents potential attackers from exploiting high-privilege operations, thereby strengthening your security defenses.

Integrate with external identity providers 

Using external identity providers streamlines user authentication and management. Integrating Kubernetes with protocols like the Lightweight Directory Access Protocol (LDAP) or OpenID Connect (OIDC) for authentication centralizes user credential management and boosts security by leveraging existing, robust security infrastructures.

By implementing the above RBAC best practices, you not only secure your Kubernetes environment but also improve its management and compliance posture. Each step reduces risks and enhances operational efficiencies, making your infrastructure both secure and easier to manage.

How Wiz can help

As we've explored, RBAC is not just a feature within K8s, it’s a fundamental security layer that safeguards your applications by ensuring that only authorized personnel have access to specific resources. Implementing RBAC correctly is essential for minimizing potential breaches, managing complex configurations, and adhering to compliance requirements.

Example Wiz detection of anonymous access to a Kubernetes cluster followed by admin role creation and cryptomining-related activity.

Wiz can assist in securing Kubernetes RBAC by providing visibility into the cluster's architecture and setup, including identities such as ClusterRoleBindings, ClusterRoles, RoleBindings, and Roles. By analyzing these components, Wiz can identify risks associated with Kubernetes-specific identities and configurations.

Additionally, Wiz's Admission Controller can enforce security policies in your Kubernetes clusters, preventing the deployment or modification of resources that violate configured policies. This includes policies used to detect misconfigurations in your resources using Cloud Configuration Rules and policies to verify the integrity of container images using Image Trust Rules.

Example of the Wiz Security Graph

Furthermore, Wiz's Security Graph models relationships between resources, which can help in understanding the impact of RBAC settings and identifying overly permissive roles or bindings that could pose security risks. By integrating Wiz into your CI/CD pipeline, you can also shift left in your enforcement of security policies, ensuring that only secure and compliant configurations are deployed to your Kubernetes clusters.

For more detailed strategies and to see how you can manage your Kubernetes application security more effectively with Wiz, sign up for a demo today

Detect real-time malicious behavior in Kubernetes clusters

Learn why CISOs at the fastest growing companies choose Wiz to secure their Kubernetes workloads.

Get a demo 

Continue reading

What Is Shadow IT? Causes, Risks, and Examples

Wiz Experts Team

Shadow IT is an employee’s unauthorized use of IT services, applications, and resources that aren’t controlled by—or visible to—an organization’s IT department.

What is API Security?

API security encompasses the strategies, procedures, and solutions employed to defend APIs against threats, vulnerabilities, and unauthorized intrusion.

What is Data Classification?

Wiz Experts Team

In this post, we’ll explore some of the challenges that can complicate cloud data classification, along with the benefits that come with this crucial step—and how a DSPM tool can help make the entire process much simpler.