Creating Least Privilege Policies in Kubernetes

45 minutes
  • 2 Learning Objectives

About this Hands-on Lab

You are a container engineer at Cube4Lyf, an e-gaming platform geared towards puzzle and logic games. As their Kubernetes implementation matures, their security team is calling for more granular user access policies that adhere to the Principle of Least Privilege.

The team has created a role to restrict the Dev user to read/write permissions in the development namespace, read-only rights in the productions namespace, and no access to the monitoring namespace in the cluster. However, users are reporting more access than intended.
You will need to troubleshoot the policy and role bindings to ensure this granular access is enforced in the cluster.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Objective 1

Correct the configuration of the deployment-user role and role binding so that it only allows those actions in the development namespace.

Objective 2

Restore read-only permissions for the production namespace to the dev user.

Read-only role:

kind: Role
namespace: production
name: prod-read
- apiGroups: [""]
resources: ["pods", "deployments"]
verbs: ["get", "watch", "list"]

Read-only role binding:

kind: RoleBinding
name: prod-read
namespace: production
- kind: User
name: dev
kind: Role
name: prod-read

Additional Resources

  • Role Based Access Control (RBAC) in Kubernetes:

  • Verbs in Policies:

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?