Elevation of Privilege

Privilege escalation is gaining higher access than what is granted. The aim is to cause damage or gain unauthorized access.

Let’s look at a few ways to prevent this in a Kubernetes environment.

Protecting the API server

Kubernetes offers several authorization modes that help safeguard access to the API server. These include:

• Role-based Access Control (RBAC)

• Webhook

• Node

We should run multiple authorizers at the same time. For example, it’s common to use the RBAC and node authorizers.

RBAC mode lets us restrict API operations to sub-sets of users. These users can be regular user accounts or system services. The idea is that all requests to the API server must be authenticated and authorized. Authentication ensures that requests come from a validated user, whereas authorization ensures the validated user can perform the requested operation. For example, can Mia create Pods? In this example, Mia is the user, create is the operation, and Pods is the resource. Authentication makes sure that it really is Mia making the request, and authorization determines if she’s allowed to create Pods.

Webhook mode lets us offload authorization to an external REST-based policy engine. However, it requires additional effort to build and maintain the external engine. It also makes the external engine a potential single point of failure for every request to the API server. For example, if the external webhook system becomes unavailable, we may be unable to make any requests to the API server. With this in mind, we should be rigorous in vetting and implementing any webhook authorization service.

Node authorization is all about authorizing API requests made by kubelets (Nodes). The types of requests made to the API server by kubelets are obviously different from those generally made by regular users, and the node authorizer is designed to help with this.