K
Q

Minimal (write) ABAC Policy for Kubernetes

11/11/2016

I am using Kubernetes 1.4.5 and installed a HA cluster from scratch (with each component in the System instead of containers)

In order to enhance security, each component has a single certificate to connect against the apiserver(s). To define the permissions, I use the ABAC plugin. I do not bother with the read permissions but want to ensure that the write permissions are only enabled for the modules which are in charge for "something".

I did not find any documentation about which component needs at least which permissions to. I started to configure, look for errors and start over.

I started with the tls tutorial from Kelsey Hightower and "failed forward".

This is what I have so far

{"user":"system:logging"}
{"user":"system:monitoring"}
{"user":"system:serviceaccount:default:default"}
{"user":"system:serviceaccount:kube-system:default"}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"nagios", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*", "readonly": true }}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "apiGroup": "*", "namespace": "*", "resource": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "apiGroup": "*", "namespace": "*", "resource": "nodes"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "apiGroup": "*", "namespace": "*", "resource": "pods"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "apiGroup": "*", "namespace": "*", "resource": "events"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"proxy", "apiGroup": "*", "namespace": "*", "resource": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"proxy", "apiGroup": "*", "namespace": "*", "resource": "events"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "apiGroup": "*", "namespace": "*", "resource": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "apiGroup": "*", "namespace": "*", "resource": "endpoints"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "apiGroup": "*", "namespace": "*", "resource": "bindings"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "apiGroup": "*", "namespace": "*", "resource": "events"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "*","nonResourcePath": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "events"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "endpoints"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "deployments"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "serviceaccounts"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "secrets"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "replicasets"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "pods"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "replicationcontrollers"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "persistentvolumes"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "persistentvolumeclaims"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "statefulsets"}}

Does anyone know if I am missing something?

[UPDATE] I found that only defining the spec was not ok as the controller manager gets into trouble. So I updated the config with the full lines.

-- Hotstepper13
abac
kubernetes
policy

Similar Questions

PVC template and failure-domain.beta.kubernetes.io/zone
Kubernetes on AWS - managing virtual IPs
kube-dns and kubernetes-dashboard pods status are CrashLoopBackOff
kubernetes installation and kube-dns: open /run/flannel/subnet.env: no such file or directory

0 Answers