Skip to main content

Measures

Additional Security Measures Beyond RBAC for Kubectl Commands

To secure the use of kubectl and prevent unauthorized access or misuse, follow these best practices:

 

Define Clear Permissions with RBAC:

Use RBAC to assign specific permissions to users based on the principle of least privilege. Ensure that roles are carefully scoped to limit access to critical resources and sensitive commands. For example:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "watch", "list"]
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
  - kind: User
    name: kubeops
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Monitor and Log Kubectl Command Usage:

Implement monitoring and logging of kubectl command usage to track who is executing commands and when. Monitor critical commands, such as those that create, update, patch, or delete sensitive resources like secrets and ConfigMaps. Set up alerts for suspicious or unauthorized activity.

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  - level: Metadata
    users: ["system:serviceaccount:kube-system:default"]
    verbs: ["create", "update", "patch", "delete"]
    resources: ["secrets", "configmaps"]