Cloud Intermediate
Kubernetes RBAC¶
KubernetesRBACSecurity 3 min read
Role-Based Access Control v Kubernetes. Roles, ClusterRoles, bindings a service accounts.
Koncept¶
RBAC řídí kdo (Subject) může co (Verb) s čím (Resource). Roles pro namespace, ClusterRoles pro celý cluster.
Example¶
# Role — read-only přístup k podům
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: production
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list", "watch"]
---
# Binding
kind: RoleBinding
metadata:
namespace: production
name: read-pods
subjects:
- kind: User
name: [email protected]
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
Best Practices¶
- Principle of least privilege
- Namespace-scoped Roles kde možné
- Service Account per aplikace
- Pravidelný audit RBAC
Summary¶
RBAC je základ bezpečnosti K8s. Vždy konfigurujte — default service account má příliš mnoho práv.
Need Help with Implementation?¶
Our team has experience designing and implementing modern architectures. We’re happy to help.