Add Authorization in Kubernetes Hardening Guide

[ashish493]

This is Authorization Section of Kubernetes hardening guide which has been under discussion in SIG-Security-Docs kubernetes/sig-security#30 .

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: ashish493 / name: Ashish Malik (45a9a00, 0db7cd7, e2cc6b9, 297a238, f33dd7f, 32452e0, 1ee39f9, efac9de, a98172c, 5bfe93b, 37807bd, 3b00279, 87b284d, 0cdb8f1, cae1363, b8fc1e8, 3be42b2, f95f709, c428bc9)

[k8s-ci-robot]

Welcome @ashish493!

It looks like this is your first PR to kubernetes/website 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/website has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[netlify]

✅ Pull request preview available for checking

Built without sensitive environment variables

Name	Link
🔨 Latest commit	b8fc1e8
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/65edc6ae2c8282000822813f
😎 Deploy Preview	https://deploy-preview-43623--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[aj11anuj]

Some minor suggestions from my side

[ashish493]

@aj11anuj Thanks, I've made some changes by checking with grammarly.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[divya-mohan0209]

/remove-lifecycle stale

[divya-mohan0209]

Overarching concerns here:

• Is this still being worked upon @ashish493? I see a lot of deviations from the Kubernetes style guide here & would recommend that you read through the style guide and make necessary changes.
• Can we please get a technical review from SIG Security? @kubernetes/sig-security-pr-reviews ?

cc: @savitharaghunathan {Sorry, in advance, if this doesn't fall within your remit}

[ashish493]

@divya-mohan0209 Yeah I'm currently working on the Resource Limits topic for the Hardening Guide. Thanks for the pointing out the Kubernetes style guide . I will make the changes in this doc according to it.

[divya-mohan0209]

Hello @ashish493, checking in on the updates for the PR. Is this still being worked upon?

[ashish493]

Hi @divya-mohan0209
Yeah, I've made the changes locally and will update this PR within this weekend. Sorry for the delay, was occupied in the release for my company.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign katcosgrove for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• content/en/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ashish493]

Thanks @reylejano for reviewing, I've updated the changes according to it.

@divya-mohan0209 I've also updated the content according to Kubernetes style guide.

[sftim]

Thanks @ashish493

We've got some quite good documentation already, which sets a bar for quality. I'd only be happy to merge this if you:

• remove the implication that RBAC mode is always active
• fix the snag around recommending admission controllers, rather than authz webhooks
  (it's OK to mention admission control as further reading)

and please also consider

• fix the wrapping for the Markdown source, so that lines are typically 100 characters of fewer

[sftim]

Suggested change

	### Role based access control(RBAC)
	## Role based access control (RBAC) {#hardening-rbac}

[sftim]

Suggested change

	### Resources to restrict to prevent privilege escalation
	## Resources to restrict to prevent privilege escalation {#hardening-components}

[sftim]

Make it clear that these aren't roles in the RBAC sense

[sftim]

• Put command line arguments inside backticks.

[sftim]

Ideally, reword this to be good advice whether or not the cluster in question uses Kubernetes RBAC.

[sftim]

Ideally, reword this to be good advice whether or not the cluster in question uses Kubernetes RBAC.

[sftim]

Suggested change

	### Admission controllers
	## Admission control {#hardening-admission-control}

[sftim]

This is poor advice; if you want custom authz, you should use an authorization callout: https://kubernetes.io/docs/reference/access-authn-authz/webhook/

[sftim]

Suggested change

	### Auditing RBAC policies
	## Policy review

[divya-mohan0209]

@ashish493 : Please could you advise if you're able to address the suggestions made by @sftim in this review?

[ashish493]

@divya-mohan0209 need some more time for those changes. We have sig-security-docs meeting this thursday. I will ask for some help for proceeding further. After that I will update my progress here.

[dipesh-rawat]

@ashish493 What's the plan for this PR moving forward? Does it require more refinement, is it ready for review (pending review comments), or are we at the stage where this can be closed?

[ashish493]

@dipesh-rawat Yeah, it needs a little refinement. I couldn't give much time to it because of some personal issues. I will definitely try to do it soon. If it comes to a point where I won't be able to do it, then I will definitely pass this on to sig-security-docs for further enhancement.

[divya-mohan0209]

@ashish493 Thank you for your efforts! Since there has been no progress on this PR, I'll be closing it out. In the event that you'd like to pass it on to SIG Security Docs and reopen it, please feel free to do so whenever you have the bandwidth.

/close

[k8s-ci-robot]

@divya-mohan0209: Closed this PR.

In response to this:

@ashish493 Thank you for your efforts! Since there has been no progress on this PR, I'll be closing it out. In the event that you'd like to pass it on to SIG Security Docs and reopen it, please feel free to do so whenever you have the bandwidth.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.