Elevation of Privilege
Elevation of privilege, also known as privilege escalation, is gaining higher access than what should be granted, usually in order to cause damage or gain unauthorized access.
Let's look at a few ways to prevent this in a Kubernetes environment.
Protecting the API server
Kubernetes offers several authorization modes that help safeguard access to the API server. These include:
- RBAC mode
- Webhook mode
- Node mode
You should run multiple authorizers at the same time. For example, a common best practice is to always have RBAC and node enabled.
RBAC mode lets us restrict API operations to sub-sets of users. These users can be regular user accounts as well as system services. The idea is that all requests to the API server must be authenticated and authorized. Authentication ensures that requests are coming from a validated user – the user performing the request is who they claim to be. Authorization ensures the validated...