Uptycs is announcing new capabilities that simplify, monitor, and secure role-based access control (RBAC) for Kubernetes deployments today at Kubecon EU. Uptycs seamlessly plugs into your Kubernetes control plane to capture and normalize real-time data for threat hunting, vulnerability management, compliance enforcement, asset inventory, and now RBAC telemetry as well.
Uptycs’ RBAC security solution for Kubernetes brings clarity and risk analysis to the ever-growing mesh of users and roles at the foundation of your container deployments. Visualize relationships with the RBAC relationship graph, home in on overly privileged user or service accounts with out of the box analysis (e.g., users with exec privileges or access to shared secrets), and investigate configurations to ensure the right users have the right access.
Join Uptycs’ Sudarsan Kannan (director of product management) and Siban Mishra (senior product manager) on our Uptycs Live webinar covering RBAC security for Kubernetes.
Resolving Relationships for Kubernetes
The k8s control plane is the orchestrator for your running clusters, nodes, and containers. If a threat actor compromises your control plane or a privileged account, they can steal secrets, create privileged pods, hop around your infrastructure, and worse.
Kubernetes can be an intimidating layer of API calls supporting your infrastructure. Thankfully, among those objects exists well-supported calls for RBAC policy implementation and control. While k8s makes it easy to apply RBAC policies to users, quality-of-life features stop once roles are applied. As environments scale up, k8s container deployments become a web of access roles layered on top of users, with extreme difficulty to parse who truly has access to what. This creates risky configurations with users having overprivileged access to delete resources, exec into pods, or access shared secrets.
This is problematic. In runtime, teams struggle to gain visibility into the real-time relationship of users to roles and what they are able to access.
Fig. 1 – Kubernetes Access Control dashboard shows associated
privileges for all users and resources within a single cluster
Figure 1 shows the starting state of interconnected clusters, namespaces, as well as both human and service accounts during runtime. For a relatively small demo deployment, you can see just how complicated it becomes to make sense of identities and relationships.
Next we walk through two use cases to understand these relationships and gain easy-to-digest visibility.
Spot the Needle - Parsing k8s RBAC Relationships
Visibility Into User & Role Relationships
Key issue - Security administrators need complete visibility into those activities a user/group/service account can perform on runtime k8s resources.
Challenge - Access management and RBAC often requires a highly manual workflow to initiate access, monitor permission creep, and hunt for overprivileged accounts. Dynamic layering of users and roles makes it difficult to see the forest for the trees and zero in on specific roles or users.
Solution - Uptycs correlates relationships, making it easy to see which user accounts have access to a specific pod or set of clusters. Visualize this using the RBAC relationship graph, mapping specific container resources to cluster admin roles, service accounts, and user actions.
Fig. 2 – The k8s Access Control dashboard provides full visibility into specific user
accounts [here the node-controller] and which resources they’re accessing
Risk Hunting Across Runtime Roles
Key Issue - Security admins need to easily discover RBAC risks across their Kubernetes deployment. Left unaddressed, they might allow attackers to gain privilege and perform nefarious activities.
Challenge - Parsing who has access to what becomes increasingly difficult as operations scale up. Manually hunting for potential risky users, roles, and resources is impractical. Security teams need a solution that provides clear direction on accounts having all privileges for specific nodes, access to secrets, or kubectl exec privileges.
Solution - Uptycs offers mapping of risky configurations out of the box. Correlating these findings makes it easy to quickly understand what’s going on and act. With a few seconds you can find and investigate:
- Subjects having privileges on all resources
- Subjects having all privileges on a single resource
- Who can exec into pods
- Who can access secrets
- Who can delete k8s events
Fig. 3 – The k8s Access Control Dashboard IDs risky configurations
and reveals which users have access to shared secrets
Uptycs + Kubecon EU
Want to learn more about these new RBAC features and get a hands-on walkthrough?
Come see Uptycs in booth #G18 at Kubecon EU. Ask us about threat detection and how we’re supporting your developers with security across the cloud native application lifecycle.
And on April 18th, Director of Product Management Sudarsan Kannan will be joining us on Uptycs Live to share his decades of experience in identity management and the future of cloud native security. Register here for our “RBAC Security for Kubernetes: How to Keep Your Clusters Safe” webinar.