You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Kubernetes security is a multi-layered concern spanning authentication, authorisation, pod-level controls, secrets management, and supply chain security. This lesson covers RBAC, ServiceAccounts, PodSecurityStandards, secrets management, and image scanning.
┌──────────────────────────────────────────────┐
│ Layer 1: Authentication │
│ "Who are you?" (certs, tokens, OIDC) │
├──────────────────────────────────────────────┤
│ Layer 2: Authorisation (RBAC) │
│ "What can you do?" (roles, bindings) │
├──────────────────────────────────────────────┤
│ Layer 3: Admission Control │
│ "Is this request allowed?" (webhooks, PSS) │
├──────────────────────────────────────────────┤
│ Layer 4: Runtime Security │
│ "Is the pod behaving?" (seccomp, AppArmor) │
├──────────────────────────────────────────────┤
│ Layer 5: Network Security │
│ "Who can talk to whom?" (NetworkPolicies) │
└──────────────────────────────────────────────┘
RBAC controls who can perform which actions on which resources.
| Resource | Scope | Description |
|---|---|---|
| Role | Namespace | Defines permissions within a namespace |
| ClusterRole | Cluster | Defines permissions cluster-wide |
| RoleBinding | Namespace | Binds a Role/ClusterRole to a user/group |
| ClusterRoleBinding | Cluster | Binds a ClusterRole cluster-wide |
# Role: read-only access to pods and services
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
namespace: production
rules:
- apiGroups: [""]
resources: ["pods", "pods/log", "services"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list"]
---
# RoleBinding: grant pod-reader to the dev-team group
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev-team-pod-reader
namespace: production
subjects:
- kind: Group
name: dev-team
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: namespace-admin
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch", "create", "update"]
- apiGroups: [""]
resources: ["resourcequotas", "limitranges"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
# Check if a user can perform an action
kubectl auth can-i get pods --namespace production --as dev-user
# Check all permissions for a user
kubectl auth can-i --list --as dev-user --namespace production
# Check ServiceAccount permissions
kubectl auth can-i get pods --as system:serviceaccount:production:web-api-sa
Every pod runs under a ServiceAccount, which provides identity for API server access.
# Create a dedicated ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: web-api-sa
namespace: production
automountServiceAccountToken: false # Do not mount token unless needed
---
# Bind permissions
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: web-api-binding
namespace: production
subjects:
- kind: ServiceAccount
name: web-api-sa
namespace: production
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.