iCompaas Support

Profile Applicability:

• Level 1
  

Description:
Persistent Volumes (PVs) in Kubernetes are used to provision and manage storage resources that outlast the lifecycle of individual pods. This check ensures that the ability to create Persistent Volumes is restricted and only granted to trusted administrators or service accounts, minimizing the risk of unauthorized users provisioning storage resources.

Rationale:
 Allowing unauthorized users to create Persistent Volumes can lead to potential security risks, such as over-provisioning storage, misuse of resources, or the introduction of unapproved storage classes. By minimizing access to the creation of persistent volumes, you ensure better control over storage resources in the cluster and prevent unnecessary or malicious changes to the cluster's storage configuration.

Impact:

Pros:

• Improves security by limiting who can provision and manage storage resources.
  

• Helps enforce storage policies and reduce the risk of unauthorized users consuming excessive or unapproved storage resources.
  

Cons:

• Some workloads may require the ability to create persistent volumes for dynamic provisioning or application-specific needs.
  

• Requires careful configuration to ensure that legitimate users or applications can still create and manage persistent volumes.
  

Default Value:
 By default, any user or service account with sufficient permissions can create Persistent Volumes and Persistent Volume Claims. This check requires restricting access through RBAC (Role-Based Access Control).

Pre-requisites:
 Ensure that RBAC policies are properly configured to control access to the PersistentVolume creation API and that only trusted administrators have the necessary permissions.

Test Plan:

Using Azure Console:

1. Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
   

2. Under Access Control (IAM), review the Role-Based Access Control (RBAC) settings to ensure that only trusted users or service accounts have permissions to create Persistent Volumes.
   

3. Ensure that only authorized users have the "create" permission on the PersistentVolume resources.
   

Using Azure CLI:

1. Use the following command to check who has the ability to create PersistentVolumes:
   

   kubectl get rolebindings --all-namespaces -o=jsonpath='{.items[*].subjects[*].name}'

2. Ensure that only authorized users or service accounts are listed with the ability to create PersistentVolume resources.
   

Implementation Plan:

Using Azure Console:

1. In the Azure portal, go to Kubernetes Services and navigate to the Access Control (IAM) section.
   

Review and configure RBAC roles to limit access to the PersistentVolume creation API. For example, restrict create permissions on Persistent Volumes to specific roles, such as administrators:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pv-creator
  namespace: <namespace-name>
rules:
- apiGroups: [""]
  resources: ["persistentvolumes"]
  verbs: ["create"]

Assign this role to trusted users or service accounts only. Use RoleBinding to grant access:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pv-creator-binding
  namespace: <namespace-name>
subjects:
- kind: User
  name: <user-name>  # Or "ServiceAccount"
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pv-creator
  apiGroup: rbac.authorization.k8s.io

3. Apply the Role and RoleBinding to ensure that only authorized users can create Persistent Volumes.
   

Using Azure CLI:

Create an RBAC role that grants the ability to create Persistent Volumes only to authorized users or service accounts:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pv-creator
  namespace: <namespace-name>
rules:
- apiGroups: [""]
  resources: ["persistentvolumes"]
  verbs: ["create"]

Apply the Role using the following command:

 kubectl apply -f pv-creator-role.yaml

Create a RoleBinding to bind this role to specific users or service accounts:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pv-creator-binding
  namespace: <namespace-name>
subjects:
- kind: User
  name: <user-name>  # Or "ServiceAccount"
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pv-creator
  apiGroup: rbac.authorization.k8s.io

Apply the RoleBinding using:

kubectl apply -f pv-creator-binding.yaml

Backout Plan:

Using Azure Console:

1. If restricting PersistentVolume creation causes issues, revert the changes in the Azure portal by adjusting the RBAC role bindings or re-enabling permissions for certain users.
   

Using Azure CLI:

To revert the RBAC settings, delete the Role and RoleBinding using the following commands:

kubectl delete role pv-creator --namespace=<namespace-name>
kubectl delete rolebinding pv-creator-binding --namespace=<namespace-name>

References:

1. Kubernetes Persistent Volume Documentation
   

2. Azure Kubernetes Service (AKS) Role-Based Access Control (RBAC)

3. Kubernetes RBAC Documentation