RBAC minimal privilege principle¶
The RBAC minimal privilege principle is a security best practice for Kubernetes Dashboard deployments. It dictates that Role-Based Access Control (RBAC) should be configured to grant the Dashboard only the specific permissions it strictly requires to function, rather than broad or unnecessary access.^[400-devops-06-kubernetes-devops-helm-terraform-helm-helm-readme.md]
Applying this principle is critical for the security of the Kubernetes cluster.^[400-devops-06-kubernetes-devops-helm-terraform-helm-helm-readme.md]
Implementation¶
To implement minimal privilege, it is highly recommended to explicitly define and limit the Dashboard's permissions rather than using default configurations that might be overly permissive.^[400-devops-06-kubernetes-devops-helm-terraform-helm-helm-readme.md]
For example, in the Helm chart configuration, the clusterReadOnlyRole parameter can be enabled to create an additional ClusterRole with read-only permissions to specific resources, rather than granting full administrative access.^[400-devops-06-kubernetes-devops-helm-terraform-helm-helm-readme.md]
Conversely, configurations that violate this principle by being too permissive are removed or deprecated. Parameters such as clusterAdminRole, which previously granted excessive privileges, are considered dangerous and are stripped from updated configurations to enforce tighter security.^[400-devops-06-kubernetes-devops-helm-terraform-helm-helm-readme.md]
Related Concepts¶
- Kubernetes
- Helm
- [[Security]]
Sources¶
- 400-devops-06-kubernetes-devops-helm-terraform-helm-helm-readme.md