Kubernetes is an open-source cluster management system with many applications in the world of business and commerce. Kubernetes was first developed by Google in 2014 and was heavily influenced by Google’s Borg cluster management system. Currently, it is developed and maintained by the Cloud Native Computing Foundation.
The main benefit that Kubernetes lends to businesses is enhanced scalability. Depending on the load that your business is facing, you can scale the infrastructure up and down. This kind of scalability is beneficial, and it can also save you a fortune. Kubernetes is the future of cluster management.
According to a 2020 report by the CNCF, 78% of all companies running containers have fully or partly deployed Kubernetes in their infrastructure. By going through the tips listed in this article, you will be able to start configuring k8s network policies and pod security policies on your own.
How to Configure RBAC in your Kubernetes Cluster
In this section of the guide, you’ll learn how to configure RBAC in your Kubernetes cluster. RBAC authorization in Kubernetes allows you to configure who has access to what in a cluster. It enables you to restrict users from accessing the kube-system
namespace, containing all the control plane pods.
Before getting all technical, you should be aware of two elements – Roles and ClusterRoles. The former describes rules applicable in a single namespace, while the latter describes rules applied to the cluster.
Use Case – Creating a Cluster User with Limited Namespace Access
In this example, you’ll learn how to create a user with limited namespace access by carrying out the following steps:
Step 1: Execute the kubectl create namespace
command in the CLI to create a namespace. To make sure this happens without any glitches, run the command while in cluster admin mode.
Step 2: Next, you have to create the user credentials and provide access based on their roles. Since the Kubernetes network policy does not permit any API objects for user accounts, you will need to install OpenSSL certificates. You need to first create a key for your user.
Step 3: With the private key you created for the user, you have to send a certificate sign request via the CLI. The command has a subj
section where you have to specify the group and username. Next, you need to locate your Kubernetes network certificate authority (CA).
Step 4: Once you receive the final certificate, you will have successfully assigned a cluster user with proper role-based access. The certificate that you issued is going to have a validity of 500 days. Next, you need to create a role, bind it to the user, and test the RBAC.
Step 5: The final step is to create a role deployment file using the kubectl create role
command. Then you can bind the specific role to the particular user by using the ‘kubectl create’ to bind the role file to the user file.
How to Configure Kubernetes Network Policies
In this section, you’ll learn how to go about configuring k8s network policies and pod security policies. The Kubernetes NetworkPolicy API is the best way for you to handle the task. You can apply these policies using cluster playgrounds like Minikube, Katacoda, and more.
Step 1: At first, you have to create an NGINX deployment. NGINX is a web server that is used as a reverse proxy. Use the kubectl create deployment
command to declare an NGINX deployment. Then, you need to expose the service that you have created by using an NGINX service.
Step 2: Next, you have to test and see if the service is working by testing it from another pod. If the service is working, then it will be accessible via other pods. Start a BusyBox container from the pod and then run this command: wget -- spider -- timeout=1 nginx
Step 3: Once the service is up and running, you have to limit access to the service. You have to assign a condition so that only pods with an access:true
label can access it. To do this, you have to create a NetworkPolicy
object with a valid DNS name.
Step 4: The last step of the configuration process is assigning the policy to the service. Using the kubectl create
command, the policy file is bound to the NGINX service. After doing this, it is also good to check whether the access control is functional.
How to Configure Runtime Privileges
This final section of this guide will show you the best way to configure container runtime. In the Kubernetes framework, a container always runs inside a pod. The runtime policy of each pod can be achieved using Pod Specification, PSP, Open Policy Agent Gatekeeper, etc.
The best way to take care of container runtime privileges is by configuring a security context for the pod and the container it carries. You can implement Discretionary Access Control, App Armor, Seccomp, Linux Capabilities, Security-Enhanced Linux, and more. Setting the security context will ensure pod security policies also.
After the configuration process, you need to clean up after yourself. The best way to do this is to use the kubectl delete
command to clear up all of the demo files created during the runtime privileges assignment. Once this is over, your work is complete!
Final Thoughts
It is important to remember that the word “Kubernetes” comes from the Greek word for “helmsman”. Kubernetes essentially does just that. It acts as a helmsman and a navigator for your cluster and keeps the system running smoothly.
With the help of this guide, you can now configure RBAC in your Kubernetes cluster, configure Kubernetes network policy and ensure that runtime is smooth. Kubernetes is a powerful tool that will enable your organization to work efficiently and safely. Have it installed ASAP and reap all of the benefits.
If you enjoyed this post, do read our posts on how to detect runtime threats in Kubernetes and how to secure your Kubernetes control plane and node components. You could also head over to the ebooks section of our website and access free ebooks around Kubernetes best practices and usage and management guides. And finally, if you’d like to set up real observability and monitoring for your Kubernetes clusters with unmatched log data unification and analysis capabilities with full control on data retention limits with #NoStorageTax, sign up for a free trial of Apica today!