Kubelets request credentials via CSR API for initial bootstrap and renewal • Approval of CSRs can be controlled through RBAC (1.7) • Credentials and identity are unique to each node
can only access resources required to run pods scheduled to them ◦ Can no longer request arbitrary secrets • Requires unique credentials for nodes (Pairs well with TLS bootstrapping) • Use in combination with RBAC
of pods that can be created in a namespace • Administered through RBAC (or external authorizer) • Can prevent a user from creating pods that: ◦ mount arbitrary volumes ◦ run in the host network ◦ use privileged containers ◦ run processes as root ◦ etc.
◦ Policy to control what events get audited and at what level (headers, request body, etc.) ◦ JSON formatted audit logs ◦ Webhook mode to aggregate audit events across multiple API servers • Tooling can consume/act on the new audit format: ◦ https://github.com/liggitt/audit2rbac ◦ ...
Easily contribute custom permissions to default “user-facing” roles • External authorizer short-circuit deny (1.9+) ◦ External authorizers can now override RBAC • SelfSubjectRulesReview (1.8+) ◦ Authorizer API for determining what the current user can do
account credential improvements • Goal is to allow moving service account tokens out of Secret API objects • Point of use creation, attenuated by node/pod, with bounded lifetime
for containers than service accounts ◦ Differentiate between pods running on different nodes ◦ Scoped identities that only work for target services • Improved container identities enable external secret management • Focus on mechanisms for delivering credentials/identity directly to pods