Easy multi-cluster RBAC with Kubernetes

The presentation focuses on the challenges of implementing consistent access policies across multiple Kubernetes clusters in a typical enterprise environment. Starting with an introduction to the basic concepts of Kubernetes RBAC and having highlighted the limitations of file-based policy management at scale, it will present the concept of central authentication and policy management provided by the open source Kubernetes management platform Rancher.

Role-based access control (RBAC) is the central mechanism in Kubernetes that provides administrators with control over the operations each user or group can perform in the cluster based on their role in an organization. Ensuring that RBAC is properly configured is therefore critical to securing Kubernetes clusters in production. While maintaining RBAC policies manually is feasible for a single cluster with just a handful of users it becomes a maintenance nightmare at scale where organizational policies must consistently be applied and updated across multiple clusters and groups of users. As the number of users and clusters grows, manual RBAC management is susceptible to misconfiguration and inconsistency, leaving clusters vulnerable to unauthorized access or privilege escalation.

The presentation starts by walking the audience through the basic concepts of Kubernetes RBAC. Using the example of some common use cases we then discuss the drawbacks of manually managing RBAC (which usually involves trying to keep clusters in sync with YAML definitions maintained under source control). Finally, using the example of Rancher, we will demonstrate how to escape the hell of YAML sprawl by employing a concept of central role management that provides automated, consistent propagation of policies across multiple clusters. We conclude the presentation by showing how to facilitate the on-/offboarding of users in Kubernetes by tieing in RBAC into an external identity provider and relying on externally managed groups to associate users with roles.