Rizki Sasri Dwitama
Datascience

K3S: Implement Security Best Practices

Implementing Role-Based Access Control (RBAC)

Security is all fun and games until someone accidentally deletes an entire namespace. Enter RBAC (Role-Based Access Control)—the bouncer of your Kubernetes cluster, making sure only authorized users can do things.

Overview of RBAC and why it is important

RBAC defines who can do what in your cluster. Without it, your devs might have free rein to redeploy production at 3 AM. Nobody wants that.

Understanding Roles and RoleBindings

  • Roles define permissions within a namespace.
  • RoleBindings attach those roles to users or groups.

Creating an RBAC role for a namespace

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev
  name: dev-role
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

Assigning a role to a user

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: dev
  name: dev-rolebinding
subjects:
- kind: User
  name: developer
roleRef:
  kind: Role
  name: dev-role
  apiGroup: rbac.authorization.k8s.io

Applying RBAC rules

kubectl apply -f role.yaml
kubectl apply -f rolebinding.yaml

Using Pod Security Policies

Pod Security Policies (PSP) ensure your Pods don’t run as root or demand privileged access like some entitled teenager.

Enforcing security policies for Pods

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted
spec:
  privileged: false
  allowPrivilegeEscalation: false
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: MustRunAs
    ranges:
      - min: 1
        max: 65535

Enabling PSP in K3s and applying the policy

kubectl apply -f psp.yaml

Securing API Access and Authentication

You don’t want random scripts running API calls, so let’s secure that too.

Using ServiceAccounts for API access

apiVersion: v1
kind: ServiceAccount
metadata:
  name: myserviceaccount
  namespace: default

Granting permissions using RBAC

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: serviceaccount-binding
subjects:
- kind: ServiceAccount
  name: myserviceaccount
  namespace: default
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io

Applying and testing authentication

kubectl apply -f serviceaccount.yaml
kubectl apply -f rolebinding.yaml

Scanning Containers for Vulnerabilities

Hackers love insecure containers. Don’t make their lives easy—scan your images.

Using Trivy for image vulnerability scanning

trivy image nginx:latest

Best practices for securing Kubernetes workloads

  • Use minimal base images (e.g., alpine or scratch).
  • Avoid running containers as root.
  • Regularly update dependencies and container images.

Hands-On Exercise

Time to get your hands dirty:

  • Implement RBAC to restrict access to a namespace.
  • Create and apply a Pod Security Policy to enforce container security.
  • Set up a ServiceAccount for API authentication.
  • Scan container images for vulnerabilities using Trivy.

Master this, and your cluster will be safer than a locked-down bank vault. 🚀

Prev
ArgoCD: Monitoring, Logging, and Troubleshooting
Next
ML: Neural Networks and Deep Learning