RBAC - Controle de Acesso

RBAC (Role-Based Access Control) controla quem pode fazer o quê no cluster Kubernetes, baseado em roles e bindings.

Conceito Geral

• Role: define permissões (verbos + recursos) em um namespace
• ClusterRole: define permissões no cluster inteiro
• RoleBinding: associa Role a usuários/grupos/serviceaccounts
• ClusterRoleBinding: associa ClusterRole globalmente

Requisição (kubectl/API)
   ↓
Autenticação (quem é você?)
   ↓
Autorização RBAC (o que pode fazer?)
   ↓
Subject (User/ServiceAccount/Group)
   ↓
Binding (Role/ClusterRole)
   ↓
Permissões (get, list, create, delete...)
   ↓
Recursos (pods, services, nodes...)
   ↓
Permitido ou Negado

Criar Service Account

kubectl create serviceaccount app-sa -n production

Role (Namespace Scope)

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: production
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

ClusterRole (Cluster Scope)

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-reader
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list"]

RoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: production
subjects:
- kind: ServiceAccount
  name: app-sa
  namespace: production
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-nodes
subjects:
- kind: ServiceAccount
  name: app-sa
  namespace: production
roleRef:
  kind: ClusterRole
  name: node-reader
  apiGroup: rbac.authorization.k8s.io

Verificar Permissões

# Verificar se pode executar ação
kubectl auth can-i create deployments --namespace production

# Como outro usuário
kubectl auth can-i list pods --namespace production --as app-sa

# Listar todas as permissões
kubectl auth can-i --list --namespace production

Criar Usuário com Certificado

# Gerar chave privada
openssl genrsa -out developer.key 2048

# Criar CSR
openssl req -new -key developer.key -out developer.csr -subj "/CN=developer/O=dev-team"

# Assinar com CA do cluster
openssl x509 -req -in developer.csr \
  -CA /etc/kubernetes/pki/ca.crt \
  -CAkey /etc/kubernetes/pki/ca.key \
  -CAcreateserial \
  -out developer.crt -days 365

# Adicionar ao kubeconfig
kubectl config set-credentials developer \
  --client-certificate=developer.crt \
  --client-key=developer.key

kubectl config set-context developer-context \
  --cluster=kubernetes \
  --namespace=development \
  --user=developer

Audit Policy

# /etc/kubernetes/audit-policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
  resources:
  - group: ""
    resources: ["secrets", "configmaps"]
- level: RequestResponse
  verbs: ["create", "update", "delete"]

Habilitar Audit no API Server

# No kube-apiserver.yaml
--audit-policy-file=/etc/kubernetes/audit-policy.yaml
--audit-log-path=/var/log/kubernetes/audit.log
--audit-log-maxage=30

Listar Roles e Bindings

kubectl get roles,rolebindings -n production
kubectl get clusterroles,clusterrolebindings
kubectl describe role pod-reader -n production