You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/docs/concepts/security/rbac-good-practices.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,15 +22,15 @@ The good practices laid out here should be read in conjunction with the general
22
22
23
23
### Least privilege
24
24
25
-
Ideally minimal RBAC rights should be assigned to users and service accounts. Only permissions
26
-
explicitly required for their operation should be used. Whilst each cluster will be different,
25
+
Ideally, minimal RBAC rights should be assigned to users and service accounts. Only permissions
26
+
explicitly required for their operation should be used. While each cluster will be different,
27
27
some general rules that can be applied are :
28
28
29
29
- Assign permissions at the namespace level where possible. Use RoleBindings as opposed to
30
30
ClusterRoleBindings to give users rights only within a specific namespace.
31
31
- Avoid providing wildcard permissions when possible, especially to all resources.
32
32
As Kubernetes is an extensible system, providing wildcard access gives rights
33
-
not just to all object types presently in the cluster, but also to all future object types
33
+
not just to all object types present in the cluster, but also to all future object types
34
34
which are created in the future.
35
35
- Administrators should not use `cluster-admin` accounts except where specifically needed.
36
36
Providing a low privileged account with [impersonation rights](/docs/reference/access-authn-authz/authentication/#user-impersonation)
@@ -61,7 +61,7 @@ the RBAC rights provided by default can provide opportunities for security harde
61
61
In general, changes should not be made to rights provided to `system:` accounts some options
62
62
to harden cluster rights exist:
63
63
64
-
- Review bindings for the `system:unauthenticated` group and remove where possible, as this gives
64
+
- Review bindings for the `system:unauthenticated` group and remove them where possible, as this gives
65
65
access to anyone who can contact the API server at a network level.
66
66
- Avoid the default auto-mounting of service account tokens by setting
67
67
`automountServiceAccountToken: false`. For more details, see
@@ -122,19 +122,19 @@ PersistentVolumes, and constrained users should use PersistentVolumeClaims to ac
122
122
### Access to `proxy` subresource of Nodes
123
123
124
124
Users with access to the proxy sub-resource of node objects have rights to the Kubelet API,
125
-
which allows for command execution on every pod on the node(s) which they have rights to.
125
+
which allows for command execution on every pod on the node(s) to which they have rights.
126
126
This access bypasses audit logging and admission control, so care should be taken before
127
127
granting rights to this resource.
128
128
129
129
### Escalate verb
130
130
131
-
Generally the RBAC system prevents users from creating clusterroles with more rights than
131
+
Generally, the RBAC system prevents users from creating clusterroles with more rights than
132
132
they possess. The exception to this is the `escalate` verb. As noted in the [RBAC documentation](/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update),
133
133
users with this right can effectively escalate their privileges.
134
134
135
135
### Bind verb
136
136
137
-
Similar to the `escalate` verb, granting users this right allows for bypass of Kubernetes
137
+
Similar to the `escalate` verb, granting users this right allows for the bypass of Kubernetes
138
138
in-built protections against privilege escalation, allowing users to create bindings to
0 commit comments