You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Kubernetes security is a multi-layered concern spanning authentication, authorisation, pod-level controls, secrets management, and supply chain security. This lesson covers RBAC, ServiceAccounts, PodSecurityStandards, secrets management, and image scanning.
graph TD
L1["Layer 1: Authentication — Who are you? (certs, tokens, OIDC)"]
L2["Layer 2: Authorisation (RBAC) — What can you do? (roles, bindings)"]
L3["Layer 3: Admission Control — Is this request allowed? (webhooks, PSS)"]
L4["Layer 4: Runtime Security — Is the pod behaving? (seccomp, AppArmor)"]
L5["Layer 5: Network Security — Who can talk to whom? (NetworkPolicies)"]
L1 --> L2 --> L3 --> L4 --> L5
RBAC controls who can perform which actions on which resources.
| Resource | Scope | Description |
|---|---|---|
| Role | Namespace | Defines permissions within a namespace |
| ClusterRole | Cluster | Defines permissions cluster-wide |
| RoleBinding | Namespace | Binds a Role/ClusterRole to a user/group |
| ClusterRoleBinding | Cluster | Binds a ClusterRole cluster-wide |
# Role: read-only access to pods and services
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
namespace: production
rules:
- apiGroups: [""]
resources: ["pods", "pods/log", "services"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list"]
---
# RoleBinding: grant pod-reader to the dev-team group
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev-team-pod-reader
namespace: production
subjects:
- kind: Group
name: dev-team
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: namespace-admin
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch", "create", "update"]
- apiGroups: [""]
resources: ["resourcequotas", "limitranges"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
# Check if a user can perform an action
kubectl auth can-i get pods --namespace production --as dev-user
# Check all permissions for a user
kubectl auth can-i --list --as dev-user --namespace production
# Check ServiceAccount permissions
kubectl auth can-i get pods --as system:serviceaccount:production:web-api-sa
Every pod runs under a ServiceAccount, which provides identity for API server access.
# Create a dedicated ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: web-api-sa
namespace: production
automountServiceAccountToken: false # Do not mount token unless needed
---
# Bind permissions
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: web-api-binding
namespace: production
subjects:
- kind: ServiceAccount
name: web-api-sa
namespace: production
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.