Understanding Kubernetes Security Components

In Kubernetes, security is implemented through several components that work together to control access and permissions. Let's explore ServiceAccounts, Roles, RoleBindings, and SecurityContexts.

ServiceAccount

A ServiceAccount provides an identity for processes running in a Pod. It's used for authentication when Pods interact with the Kubernetes API.

Key points:

• Every namespace has a default ServiceAccount
• Pods automatically mount the default ServiceAccount unless specified otherwise
• ServiceAccounts can be associated with secrets for API authentication

Role

A Role defines a set of permissions within a specific namespace. It specifies what actions (verbs) can be performed on which resources.

Key points:

• Namespace-scoped
• Defines permissions using rules (resources and verbs)
• For cluster-wide permissions, use ClusterRole instead

RoleBinding

A RoleBinding grants the permissions defined in a Role to a user, group, or ServiceAccount.

Key points:

• Links subjects (users, groups, ServiceAccounts) to a Role
• Namespace-scoped
• For cluster-wide bindings, use ClusterRoleBinding

SecurityContext

A SecurityContext defines privilege and access control settings for Pods or containers.

Key points:

• Can be set at Pod or container level
• Controls running as specific user/group IDs
• Manages Linux capabilities
• Enforces security policies like preventing privilege escalation

Example: Creating a Pod with Limited Permissions

Let's create a scenario where we want to run a monitoring Pod that can only read ConfigMaps in its namespace:

1. Create a ServiceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  name: monitoring-account
  namespace: monitoring

2. Create a Role with limited permissions

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: configmap-reader
  namespace: monitoring
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "list", "watch"]

3. Bind the Role to the ServiceAccount

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: monitoring-configmap-reader
  namespace: monitoring
subjects:
- kind: ServiceAccount
  name: monitoring-account
  namespace: monitoring
roleRef:
  kind: Role
  name: configmap-reader
  apiGroup: rbac.authorization.k8s.io

4. Create a Pod using the ServiceAccount and SecurityContext

apiVersion: v1
kind: Pod
metadata:
  name: secure-monitoring-pod
  namespace: monitoring
spec:
  serviceAccountName: monitoring-account
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  containers:
  - name: monitoring-container
    image: monitoring-image:latest
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
        - ALL
    resources:
      limits:
        memory: "128Mi"
        cpu: "500m"