🦝 RBAC to the Future: Untangling Authorization in Kubernetes

The presentation discusses the importance of role-based access control (RBAC) in Kubernetes and the potential security risks associated with overly permissive RBAC configurations. It also highlights the need for fine-grained configuration and least privilege access.

• RBAC is a collection of users, resources, and operations that are combined to give access to the resources needed
• Fine-grained configuration is necessary to limit access to service accounts and humans
• Least privilege access is important to ensure that only necessary access is granted
• Audit logs can be used to craft better RBAC policies
• Escalate, impersonate, and bind verbs are dangerous and should be monitored
• Persistent volumes can be used to break out of the container context and access the underlying host

The speaker mentions a case study about AWS's EKS authentication and authorization flow, which is complex and requires deconstruction to fully understand. This highlights the importance of understanding the RBAC ecosystem and the potential security risks associated with it.

Role-based access control (RBAC) is an unavoidable part of the Kubernetes developer experience. Whether it is engineers managing cluster resources via kubectl or internal service accounts interacting with the Kubernetes API directly, development teams will need to understand how to build and distribute effective, least permissive RBAC policies. This session will first go back in time to help attendees understand exactly how RBAC works under the hood and explore some lesser-known RBAC gotchas. We will then cover the essential pillars of designing an effective RBAC strategy for the enterprise including automation and observability opportunities. After this session, attendees can expect to have a better understanding on how to build and monitor least privilege RBAC configurations within Kubernetes.