kube-rbac-proxy - how to protect access to your app in the Kubernetes environment

Whenever you want to expose some endpoints even to the inside world like in Kubernetes, you think twice about the security impact especially when you’re not using service mesh or simple network policy for protection. Moreover, even third-party applications don’t care much about it ie. Prometheus /metrics endpoint. How can we deal with that?

The answer to that question came to me recently when I discover a neat little tool called kube-rbac-proxy. As the name says its proxy stands before your application and performs RBAC authorization in the Kubernetes based on ie. a service account token that you send in the request. The token is being checked by using Kubernetes SelfSubjectAccessReview API the same as kubectl auth can-i is doing. So when your service account has a dedicated RBAC policy, kube-rbac-proxy will verify and let you access. Of course, you should be aware that exposing your token just to access a single endpoint can brings some security implications, but fortunately, kube-rbac-proxy also supports authorization based on a user TLS certificate from which is grabbed username or group name used in RBAC policy, more about it in Kubernetes - RBAC users and groups. I don’t go with examples, because kube-rbac-proxy provide lot’s of them, which is nice.