KB Platform
kb.erickguedes.com
Kubernetes: Orquestração em Produção

RBAC e Segurança

Aula 5 de 8

RBAC — Role-Based Access Control

RBAC controla quem pode fazer o quê em quais recursos.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev
  name: pod-reader
rules:
  - apiGroups: [""]
    resources: ["pods", "pods/log"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: dev
  name: dev-reader-binding
subjects:
  - kind: User
    name: dev-alice
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

ClusterRole vs Role

RoleClusterRole
Namespace específicoTodo o cluster
Recursos em 1 namespaceResources não-namespaced (nodes, PVs)
Deve ser usada com RoleBindingUsada com ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-admin
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-binding
subjects:
  - kind: ServiceAccount
    name: admin-sa
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

Service Account

apiVersion: v1
kind: ServiceAccount
metadata:
  name: app-sa
  namespace: default
---
apiVersion: v1
kind: Pod
spec:
  serviceAccountName: app-sa   # pod usa essa SA
  automountServiceAccountToken: false
  containers:
    - name: app

kubectl create serviceaccount pipeline
kubectl get secrets  # token criado automaticamente
kubectl get sa pipeline -o yaml

Pod Security Standards

apiVersion: v1
kind: Namespace
metadata:
  name: prod
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: baseline
    pod-security.kubernetes.io/warn: baseline
PerfilDescrição
privilegedSem restrições
baselineMínimo preventivo
restrictedMais rígido (seguindo pod hardening)

Pod Security Context

apiVersion: v1
kind: Pod
spec:
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: app
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop: ["ALL"]
        readOnlyRootFilesystem: true
        runAsUser: 1000
        runAsGroup: 1000

External Secrets Operator

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: aws-secrets
spec:
  provider:
    aws:
      service: SecretsManager
      region: us-east-1
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: db-secret
spec:
  secretStoreRef:
    name: aws-secrets
    kind: SecretStore
  target:
    name: db-credentials
  data:
    - secretKey: password
      remoteRef:
        key: prod/db/password

RBAC é a base da segurança no Kubernetes. Service Accounts são identidades para pods (não para humanos). External Secrets Operator sincroniza secrets de vaults externos (AWS Secrets Manager, HashiCorp Vault).