RBAC Implementation
Resources from Video Description
- GitHub Repository - Starter code for the tutorial
- Kube RBAC Proxy Image:
gcr.io/kubebuilder/kube-rbac-proxy:v0.14.0 - Kube RBAC Proxy Configuration Example
- Cluster Role Binding Example
- Cluster Role Example
Key Takeaways
Multi-layered Security: RBAC implementation requires securing both the client accessing your API and the proxy validating those requests. The client needs a service account with appropriate permissions, while the kube-rbac-proxy itself needs permissions to validate tokens against the Kubernetes API.
Service Account Authentication: Service accounts act as identity badges within Kubernetes. Clients use tokens extracted from service account secrets to authenticate, and the kube-rbac-proxy validates these tokens by creating TokenReview and SubjectAccessReview resources.
Principle of Least Privilege: Instead of granting cluster-admin access to everything, create custom cluster roles with only the specific permissions needed. For APIs, use non-resource URLs with appropriate HTTP verbs (GET, POST) rather than broad Kubernetes resource permissions.
Token Extraction and Usage: Extract base64-decoded tokens from service account secrets using kubectl get secret -o jsonpath and pass them in Authorization Bearer headers for API requests.