Fine-Grained Permissions in Kubernetes: What’s Missing, and How to Fix That - Vallery Lancey, Lyft & Seth McCombs, Triller

less than 1 minute read

Abstract

In this talk, we will walk through a number of common scenarios where Kubernetes lacks sufficient access control tools, or where access control is often not properly applied. For example, it is common for a team to own a subset of services in a namespace, yet RBAC permissions grant that team access to other pods within the namespace. We will demonstrate a number of solutions available for specific problems, such as pod network policies, the open policy agent, custom controllers that gate API functionality. We will also discuss problems with the namespace permission model, and possible alternatives. Namespaces create an arbitrary boundary around resources, which creates the need to then bridge those boundaries. We will demonstrate ideas for bridging namespace networks, and posix-style objection permissions within a namespace.

Sched URL

Video

Twitter Facebook LinkedIn

About

Conferences

Fine-Grained Permissions in Kubernetes: What’s Missing, and How to Fix That - Vallery Lancey, Lyft & Seth McCombs, Triller

Abstract

Video

You May Also Enjoy

You Shall Not Pass! Unless You Are GUAC Verified…. - Parth Patel, Kusari & Dejan Bosanac, Red Hat

Living off the Land Techniques in Managed Kubernetes Clusters - Ronen Shustin & Shay Berkovich, Wiz

Leveraging OCI 1.1 for Enhanced SBOM Integration and Vulnerability Scanning in Harbor - Anais Urlichs, Aqua Security & Shengwen Yu, VMware

Lessons Learned from Generating 100M SBOMs: Google’s Approach to SBOM Compliance - Brandon Lum & Isaac Hepworth, Google