Elevation of Privilege

Let's learn about preventing elevation of privilege, commonly known as privilege escalation.

Elevation of privilege, a.k.a. privilege escalation, is gaining higher access than what is granted, usually in order to cause damage or gain unauthorized access.

Let’s look at a few ways to prevent this in a Kubernetes environment.

Protecting the API server

Kubernetes offers several authorization modes that help safeguard access to the API server. These include:

  • Role-based Access Control (RBAC)
  • Webhook
  • Node

You should run multiple authorizers at the same time. For example, a common best practice is to always have RBAC and node enabled.

Role-based Access Control (RBAC)

RBAC mode lets you restrict API operations to subsets of users. These users can be regular user accounts as well as system services. The idea is that all requests to the API server must be authenticated and authorized. Authentication ensures that requests are coming from a validated user – the user performing the request is who they claim to be. Authorization ensures the validated user is allowed to perform the requested operation on the targeted cluster resource. For example, can Lily create Pods? In this example, Lily is the user, create is the operation, and Pods is the resource. Authentication makes sure that it really is Lily making the request, and authorization determines if she’s allowed to create Pods.

Webhook

Webhook mode lets you offload authorization to an external REST-based policy engine. However, it requires additional effort to build and maintain the external engine. It also makes the external engine a potential single point of failure for every request to the API server. For example, if the external webhook system becomes unavailable, you may not be able to make any requests to the API server. With this in mind, you should be rigorous in vetting and implementing any webhook authorization service.

Node

Node authorization is all about authorizing API requests made by kubelets (cluster nodes). The types of requests made to the API server by nodes are obviously different from those generally made by regular users, and the node authorizer is designed to help with this.

RBAC and node are two recommended authorization modes. RBAC mode is extremely configurable, and you should use it to implement a least-privilege model for users accessing the API server. When implemented, it is a deny-by-default system that requires you to specifically grant individual permissions. If implemented well, it does an excellent job of ensuring users and Service Accounts do not have more access than required.

Get hands-on with 1200+ tech skills courses.