security kubernetes impersonation kubernetes-security

how to disable user impersonation in kubernetes?

Is there a way to disable impersonation in Kubernetes for all admin/non Admin users?

kubectl get pod --as user1

The above command should not provide answer due to security concerns. Thank you in advance.

Solution

Unless all your users are already admins they should not be able to impersonate users. As cluster-admin you can do "anything" and pre-installed roles/rb should not be edited under normal circumstances.

The necessary Role to enable impersonation is:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: impersonator
rules:
- apiGroups: [""]
  resources: ["users", "groups", "serviceaccounts"]
  verbs: ["impersonate"]

As long as normal users don't have those permissions, they should not be allowed to perform --as.

What TargetName to use when calling InitializeSecurityContext (Negotiate)?
Spring Boot 3 + Spring Security 6 => 403 Forbidden with "requestMatchers"
Password hashing, salt and storage of hashed values
Salt Generation and open source software
Secure Memory Allocator in C++
Securing JWT tokens against attackers
How to deal with a slow SecureRandom generator?
CryptographicException: Access denied - How to give access on User store?
Implementing Custom Expression Handling with Spring Security 6
Restricting access to static files in Django/Nginx
Does RabbitMQ allow Audit Logging
Powershell Set-MpPreference -DisableRealtimeMonitoring $true not working correctly
Why are iframes considered dangerous and a security risk?
Secure Google Cloud Functions http trigger with auth
How do I get the currently loggedin Windows account from an ASP.NET page?
Error Importing SSL certificate : Not an X.509 Certificate
Full text search on encrypted data
It is necessary to send the JWT token from the browser page to the server
Is it possible to use double @ in an email address?
How to replicate the RuntimeDefault seccompProfile in Kubernetes to run in Docker?
Difference between processes running in kernel mode and running as root?
Why is it okay to transmit authentication/session cookies over plaintext?
How to handle .env.local in a next js typescript file?
How does Maven 3 password encryption work?
Do we need encrypt session id before saving it into database
Any point in using a paid threat intelligence service over Google's Lookup API for detecting malicious URLs?
How to securely update configuration for root password in yocto?
how to secure and encrypt setting.xml paswords file in maven?
How to convert a PKCS#8 encoded RSA key into PKCS#1 in Java?
Vector securely erasing its memory