Securing Kubernetes Clusters

The Principle of Least Privilege with ArgoCD and Crossplane

Katharina Sick, Senior Software Engineer at Dynatrace

Securing Kubernetes Clusters

The Principle of Least Privilege with ArgoCD and Crossplane

Katharina Sick, Senior Software Engineer at Dynatrace

💻📊🚨

OWASP Kubernetes Top 10

Insecure Workload Configurations
Supply Chain Vulnerabilities
Overly Permissive RBAC Configurations
Lack of Centralized Policy Enforcement
Inadequate Logging and Monitoring
Broken Authentication Mechanisms
Missing Network Segmentation Controls
Secrets Management Failures
Misconfigured Cluster Components
Outdated and Vulnerable Kubernetes Components

Hello!

Katharina Sick

🚀 Senior Software Engineer at Dynatrace

🔗 ksick.dev

Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.

Jerome Saltzer, Communications of the ACM (1974)

Benefits

🔒 Better overall security

🛡️ Smaller attack surface

🚧️ Less malware propagation

🏋 Better stability

🤝 Compliance

Zero Trust

🔍 Never trust, always verify

🔐 Least privilege

⚔️ Assume breach

👩‍💻🤖

Role-Based Access Control

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

What?

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
  - kind: User
    name: alex
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Who?

At its core, RBAC is clear and logical.
In practice, it’s a maze of considerations.

Git Repository > User

Least Privilege with ArgoCD

🎯 Keep repository configuration on point

✋ Use ArgoCD projects to provide boundaries

📝 Declare policies to prevent misuse

🎮 Simplify the user interface for clear policies

🌱 Provide development environments

Least Privilege with Crossplane

💡 Least privilege not only applies to the user interface

🎼 Favor composite resources over managed resources

🗂️ Use dedicated provider configurations

Challenges

💥 Handling emergencies

👑 Golden path vs golden cage

💫 Always reiterate

🏁 Least privilege is just the start

Thank you ❤️

ksick.dev

Securing Kubernetes Clusters

Securing Kubernetes Clusters

OWASP Kubernetes Top 10

Hello!

Katharina Sick

Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.

Benefits

Zero Trust

Role-Based Access Control

What?

Who?

At its core, RBAC is clear and logical.In practice, it’s a maze of considerations.

Git Repository > User

Least Privilege with ArgoCD

Least Privilege with Crossplane

Challenges

Thank you ❤️

At its core, RBAC is clear and logical.
In practice, it’s a maze of considerations.