Kubernetes v1.36: Mastering Fine-Grained Kubelet API Authorization
Fine-Grained Kubelet API Authorization exists to address the security risks associated with overly broad access to the kubelet's API. By enabling more precise access control, it helps you implement the principle of least privilege, which is crucial in production environments where security is paramount.
With KubeletFineGrainedAuthz, the kubelet performs an additional authorization check before defaulting to the broad nodes/proxy subresource. This means that several commonly used kubelet API paths are now mapped to their own dedicated subresources, such as /metrics/* for metrics and /stats/* for stats. When a request is made, the kubelet first sends a SubjectAccessReview for the specific subresource. If the check passes, the request is authorized; if it fails, it falls back to the coarse-grained nodes/proxy subresource for compatibility.
In practice, this means you should adjust your RBAC configurations to take advantage of this fine-grained control. Instead of granting broad permissions like nodes/proxy, you can specify permissions for individual resources like nodes/metrics and nodes/stats. This not only enhances security but also aligns with best practices in Kubernetes access management. Remember, this feature graduated to GA in v1.36, following its introduction in v1.32 as Alpha and v1.33 as Beta, so it's stable and ready for production use.
Key takeaways
- →Implement least-privilege access by using specific subresources like nodes/metrics and nodes/stats.
- →Utilize SubjectAccessReview for fine-grained authorization checks before falling back to broader permissions.
- →Transition from broad permissions in RBAC to more specific rules to enhance security.
Why it matters
This feature significantly reduces the risk of unauthorized access to sensitive kubelet API endpoints, which is critical for maintaining a secure Kubernetes environment in production.
Code examples
1# Old approach: overly broad
2apiVersion: rbac.authorization.k8s.io/v1
3kind: ClusterRole
4metadata:
5 name: monitoring-agent
6rules:
7- apiGroups:
8 - ""
9 resources:
10 - nodes/proxy
11 verbs:
12 - get1# New approach: least privilege
2apiVersion: rbac.authorization.k8s.io/v1
3kind: ClusterRole
4metadata:
5 name: monitoring-agent
6rules:
7- apiGroups:
8 - ""
9 resources:
10 - nodes/metrics
11 - nodes/stats
12 verbs:
13 - get1# Get the token
2TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
3# Query the kubelet metrics and filter for the feature gate
4curl -sk \
5 --header "Authorization: Bearer $TOKEN" \
6 https://$NODE_IP:10250/metrics \
7 | grep kubernetes_feature_enabled \
8 | grep KubeletFineGrainedAuthzWhen NOT to use this
The official docs don't call out specific anti-patterns here. Use your judgment based on your scale and requirements.
Want the complete reference?
Read official docsBuilding a Memcached Operator with Go: A Practical Guide
Operators are a powerful way to extend Kubernetes, and building one with Go can streamline your application management. This guide walks you through creating a Memcached operator, focusing on the Custom Resource Definition (CRD) and the controller's role in reconciliation.
Mastering Admission Control in Kubernetes: What You Need to Know
Admission control is a critical gatekeeper in Kubernetes, ensuring that only valid requests reach your cluster. Understanding the difference between mutating and validating admission controllers can save you from costly misconfigurations.
CustomResourceDefinitions: Extending Kubernetes for Your Needs
Unlock the power of Kubernetes by extending its API with CustomResourceDefinitions (CRDs). Learn how to create custom resources that fit your application’s specific requirements, including namespaced and cluster-scoped options.
Get the daily digest
One email. 5 articles. Every morning.
No spam. Unsubscribe anytime.