Professional Level

Limit Service Account Permissions in Kubernetes

Pricing
30 minutes
  • 3 Learning Objectives

About this Hands-on Lab

Service accounts can be a useful tool in Kubernetes, but they could become a security risk if their permissions are too broad. In this lab, you will practice your Kubernetes security skills by restricting permissions for a service account to only those that are necessary.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create a Service Account with Appropriate Permissions for the pod-watch Pod

The pod-watch Pod in the auth namespace needs to be able to get and list Pods and Pod logs in the auth namespace.

Create a service account called pod-monitor and assign it appropriate RBAC permissions for the pod-watch Pod.

Modify the pod-watch Pod to use the new service account. Note that you will need to delete and re-create the Pod to do this. A manifest for the Pod can be found in /home/cloud_user.

Create a Service Account with Appropriate Permissions for the svc-watch Pod

The svc-watch Pod in the auth namespace needs to be able to get and list Services and Endpoints in the auth namespace.

Create a service account called svc-monitor in the auth namespace and assign it appropriate RBAC permissions for the svc-watch Pod.

Modify the svc-watch Pod to use the new service account. Note that you will need to delete and re-create the Pod to this. A manifest for the Pod can be found in /home/cloud_user.

Delete the Old Shared Service Account

Delete the old auth-sa service account that these Pods were using previously.

Contact SalesSee Pricing

Additional Resources

Your company, SecuriCorp, is using Kubernetes to run a variety of applications. Recently, hackers have been trying various techniques to break into the Kubernetes cluster and steal data.

Two applications are running in your cluster that use service accounts. These applications currently use a shared service account with a combined set of permissions. However, this results in both applications having more permissions than they need.

Address this security risk by creating 2 new service accounts with separate permissions. Modify the 2 Pods to use the 2 separate service accounts.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Don't have an account?

Get Started
Who’s going to be learning?
MyselfMy Organization