تخطي إلى المحتوى الرئيسي

RBAC Security Modes

Ilum Core provides two distinct RBAC (Role-Based Access Control) security modes for Kubernetes permissions: Unrestrictedو Restricted. Understanding the security implications of each mode is crucial for implementing appropriate security controls in your environment.

Security Overview

The choice between unrestricted and restricted RBAC modes represents a fundamental security decision that affects your deployment's attack surface, compliance posture, and operational security.

Security Principles

  • Principle of Least Privilege: Restricted mode implements minimal necessary permissions
  • Defense in Depth: Multiple layers of security controls reduce overall risk
  • Namespace Isolation: Containment of potential security breaches
  • Audit Trail: Clear permission boundaries for security auditing

Security Mode Comparison

Unrestricted RBAC Mode (Default)

Security Profile: High-privilege, cluster-wide access

Risk Level: ⚠️ Higher Risk - Suitable for development and trusted environments

Characteristics:

  • Cluster-wide permissions via ClusterRole/ClusterRoleBinding
  • Broad access across all namespaces
  • Administrative capabilities for cluster resources
  • Simplified deployment and management

Restricted RBAC Mode

Security Profile: Minimal-privilege, namespace-scoped access

Risk Level: ✅ Lower Risk - Recommended for production environments

Characteristics:

  • Namespace-scoped permissions via Role/RoleBinding
  • Limited to deployment namespace only
  • Reduced administrative capabilities
  • Enhanced security posture

Detailed Security Analysis

Permission Scope Comparison

# Cluster-wide permissions
apiVersion : rbac.authorization.k8s.io/v1 
نوع : ClusterRole 
البيانات الوصفية : 
  اسم : شراره - submit- عنقود - role- { {  .Release.Namespace } } 
rules: 
# spark submit related roles
  -  apiGroups:  [  ""  ] 
    موارد :  [  "pods", "configmaps", "services", "persistentvolumeclaims" ] 
    verbs:  [  "create", "delete", "deletecollection", "get", "قائمة" , "patch", "update", "watch" ] 
# monitoring spark
  -  apiGroups:  [  ""  ] 
    موارد :  [  "pods/log" ] 
    verbs:  [  "get", "قائمة" , "watch" ] 
# managing schedules
  -  apiGroups:  [  "batch" ] 
    موارد :  [  "cronjobs" ] 
    verbs:  [  "create", "delete", "update" ] 
# cluster force deletion
  -  apiGroups:  [  "batch" ] 
    موارد :  [  "وظائف"  ] 
    verbs:  [  "create", "delete", "get" ] 
# cluster metrics
  -  apiGroups:  [  "metrics.k8s.io" ] 
    موارد :  [  "nodes",  "pods" ] 
    verbs:  [  "get", "قائمة"  ] 
# yarn spark jobs prometheus metrics
  -  apiGroups:  [  ""  ] 
    موارد :  [  "endpoints" ] 
    verbs:  [  "create", "delete", "patch", "update" ] 
  -  apiGroups:  [  "monitoring.coreos.com" ] 
    موارد :  [  "servicemonitors" ] 
    verbs:  [  "create", "delete", "get", "قائمة" , "patch", "update" ] 
# cluster namespace management
  -  apiGroups:  [  ""  ] 
    موارد :  [  "resourcequotas" ] 
    verbs:  [  "create", "delete", "get", "update" ] 
  -  apiGroups:  [  ""  ] 
    موارد :  [  "limitranges" ] 
    verbs:  [  "create", "delete", "get", "update" ] 
# cluster namespace management sensitive rules
  -  apiGroups:  [  ""  ] 
    موارد :  [  "namespaces" ] 
    verbs:  [  "create",  "get" ] 
  -  apiGroups:  [  ""  ] 
    موارد :  [  "serviceaccounts" ] 
    verbs:  [  "create" ] 
  -  apiGroups:  [  "rbac.authorization.k8s.io" ] 
    موارد :  [  "clusterrolebindings" ] 
    verbs:  [  "create",  "get",  "patch",  "update" ]

Security Implications:

  • ❌ Full cluster access
  • ❌ Cross-namespace operations
  • ❌ Administrative privileges
  • ❌ Broad attack surface

Security Risk Matrix

Security AspectUnrestricted ModeRestricted Mode
Blast Radius🔴 Entire Cluster🟢 Single Namespace
Privilege Escalation Risk🔴 High🟢 Low
Cross-Namespace Access🔴 Allowed🟢 Blocked
Compliance Readiness🟡 Moderate🟢 High
Audit Complexity🔴 Complex🟢 Simple
Multi-Tenancy Support🔴 Poor🟢 Excellent

Security Benefits of Restricted Mode

1. Principle of Least Privilege Implementation

Restricted mode grants only the minimum permissions required for Spark job execution:

# Example: Minimal pod permissions
-  apiGroups:  [ "" ] 
  موارد :  [ "pods"] 
  verbs:  [ "create",  "delete",  "get",  "قائمة" ,  "patch",  "update",  "watch"]

2. Namespace Isolation

Security Boundary: All operations are contained within the deployment namespace

# Restricted mode prevents cross-namespace access
kubectl auth can-i create pods --as=system:serviceaccount:ilum:ilum-core -n other-namespace
# Result: no

3. Reduced Attack Surface

Eliminated Capabilities:

  • Namespace creation/deletion
  • ServiceAccount management across namespaces
  • ClusterRoleBinding modifications
  • Cross-namespace resource access
  • Pod command execution (pods/exec)

4. Enhanced Audit Trail

Restricted permissions provide clearer audit boundaries:

# Audit query example
kubectl get events --field-selector involvedObject.kind=Pod,involvedObject.namespace=ilum

Restricted RBAC Guide

The restricted RBAC feature in Ilum Core provides enhanced security by implementing the principle of least privilege for Kubernetes permissions. This feature limits the service account permissions to only what's necessary for Spark job execution, making it ideal for production and security-sensitive environments.

نظره عامه

By default, Ilum Core uses cluster-wide permissions (ClusterRole/ClusterRoleBinding) that provide broad access across the entire Kubernetes cluster. The restricted RBAC mode switches to namespace-scoped permissions (Role/RoleBinding) and removes sensitive cluster-level operations, significantly reducing the security footprint.

Security Benefits

  • Principle of Least Privilege: Grants only the minimum permissions required for Spark job execution
  • Namespace Isolation: Limits permissions to the specific namespace where Ilum is deployed
  • Reduced Attack Surface: Eliminates unnecessary cluster-wide permissions
  • Production Ready: Designed for security-conscious production environments
  • Compliance Friendly: Helps meet security compliance requirements

Configuration and Implementation

Enabling Restricted RBAC

Critical Update Warning

Before updating to restricted RBAC mode, you MUST delete any existing ClusterRole and ClusterRoleBinding resources from previous Ilum installations to avoid permission conflicts.

# Delete existing cluster-wide RBAC resources before upgrade
kubectl delete clusterrole spark-submit-cluster-role-NAMESPACE --ignore-not-found=true
kubectl delete clusterrolebinding spark-submit-cluster-role-binding-NAMESPACE --ignore-not-found=true

Failure to delete these resources may result in permission conflicts and deployment issues.

To enable restricted RBAC mode, use the complete Helm command with detailed parameter descriptions:

# Complete Helm upgrade command for restricted RBAC
ترقية Helm ilum ilum / ilum \ 
  --set ilum-core.rbac.restricted.enabled=true \
--إعادة استخدام القيم

Configuration Parameters

Parameterوصف نوع افتراضي Valid Options
rbac.restricted.enabledEnable restricted RBAC mode with namespace-scoped permissionsbooleanخطأ صحيح , خطأ

What Changes in Restricted Mode

Permissions Granted

In restricted mode, Ilum Core receives the following namespace-scoped permissions:

Core Spark Operations

  • Pods: create, حذف , deletecollection, حصل , list, patch, update, watch
  • ConfigMaps: create, حذف , deletecollection, حصل , list, patch, update, watch
  • خدمات : create, حذف , deletecollection, حصل , list, patch, update, watch
  • PersistentVolumeClaims: create, حذف , deletecollection, حصل , list, patch, update, watch

Monitoring and Logging

  • Pod Logs: حصل , list, watch
  • Endpoints: create, حذف , patch, update
  • ServiceMonitors: create, حذف , حصل , list, patch, update

Job Scheduling

  • CronJobs: create, حذف , update
  • وظائف : create, حذف , حصل

إدارة الموارد

  • ResourceQuotas: create, حذف , حصل , update
  • LimitRanges: create, حذف , حصل , update

Metrics Access (Cluster-scoped)

  • Nodes: حصل , list (via ClusterRole)
  • Pods: حصل , list (via ClusterRole for metrics)

Permissions Removed

The following sensitive cluster-level permissions are removed in restricted mode:

  • Namespace Management: Cannot create or manage namespaces
  • ServiceAccount Creation: Cannot create service accounts in other namespaces
  • ClusterRoleBinding Management: Cannot create or modify cluster-wide role bindings
  • Cross-Namespace Access: Cannot access resources in other namespaces
  • Pod Execution: Cannot execute commands in pods (pods/exec)
Namespace Modification Limitation

Important: When RBAC restricted mode is enabled, the ability to change the default ilum cluster namespace is disabled. This occurs because the permissions required to create the necessary RBAC Kubernetes resources are no longer available.

Manual Intervention Required: Users must manually create the required RBAC Kubernetes resources to grant themselves the permissions needed to modify the Kubernetes cluster's namespace. Without this manual step, the namespace modification functionality will not work.

Migration Guide

From Unrestricted to Restricted Mode

Pre-Migration Requirements

CRITICAL: Before migrating to restricted RBAC mode, you must delete existing ClusterRole and ClusterRoleBinding resources to prevent conflicts:

# Required cleanup before migration
kubectl delete clusterrole spark-submit-cluster-role-NAMESPACE --ignore-not-found=true
kubectl delete clusterrolebinding spark-submit-cluster-role-binding-NAMESPACE --ignore-not-found=true

  1. Assess Current Usage: Review your current Spark jobs to ensure they don't require cross-namespace operations

  2. Clean Up Existing Resources: Delete previous cluster-wide RBAC resources:

    kubectl delete clusterrole spark-submit-cluster-role-NAMESPACE --ignore-not-found=true
    kubectl delete clusterrolebinding spark-submit-cluster-role-binding-NAMESPACE --ignore-not-found=true

  3. Test in Development: Enable restricted mode in a development environment first:

    helm upgrade ilum-dev ilum/ilum \
      --set ilum-core.rbac.restricted.enabled=true \
    --إعادة استخدام القيم

  4. Validate Functionality: Run your typical Spark workloads to ensure they work correctly

  5. Apply to Production: Once validated, apply to production:

    helm upgrade ilum-prod ilum/ilum \
      --set ilum-core.rbac.restricted.enabled=true \
    --إعادة استخدام القيم

Rollback Procedure

If you need to revert to unrestricted mode:

ترقية Helm ilum ilum / ilum \ 
  --set ilum-core.rbac.restricted.enabled=false \
--إعادة استخدام القيم

استكشاف الاخطاء

المشكلات الشائعة

Permission Denied Errors

Symptom: Spark jobs fail with permission denied errors

Error: pods is forbidden: User "system:serviceaccount:ilum:ilum-core" cannot create resource "pods" in API group "" in the namespace "other-namespace"

حل : Ensure all Spark jobs are configured to run in the same namespace as Ilum Core

Missing Resources

Symptom: Jobs cannot find required ConfigMaps or Services

Error: configmaps "spark-config" not found

حل : Verify that all required resources exist in the Ilum namespace

RBAC Resource Conflicts

Symptom: Deployment fails with RBAC conflicts

Error: clusterroles.rbac.authorization.k8s.io "spark-submit-ilum-cluster-role" already exists

حل : Delete existing cluster-wide RBAC resources before upgrade:

kubectl delete clusterrole spark-submit-ilum-cluster-role --ignore-not-found=true
kubectl delete clusterrolebinding spark-submit-ilum-cluster-role-binding-ilum --ignore-not-found=true

Cross-Namespace Spark Jobs Disabled

Symptom: Cannot run Spark jobs in namespaces other than the Ilum deployment namespace, or cannot change the default cluster namespace within the Ilum application interface

Error: Insufficient permissions to create Spark resources in target namespace
Error: pods is forbidden: User "system:serviceaccount:ilum:ilum-core" cannot create resource "pods" in API group "" in the namespace "spark-jobs"

Cause: Restricted RBAC mode limits permissions to the Ilum deployment namespace only, preventing Spark job execution in other namespaces

حل : Create additional ClusterRole and ClusterRoleBinding to allow Ilum to create Spark-related resources in different namespaces:

# spark-cross-namespace-clusterrole.yaml
apiVersion : rbac.authorization.k8s.io/v1 
نوع : ClusterRole 
البيانات الوصفية : 
  اسم : إيلوم - شراره - cross- Namespace - role
rules: 
-  apiGroups:  [ "" ] 
  موارد :  [ "pods",  "configmaps",  "services",  "persistentvolumeclaims"] 
  verbs:  [ "create",  "delete",  "deletecollection",  "get",  "قائمة" ,  "patch",  "update",  "watch"] 
-  apiGroups:  [ "" ] 
  موارد :  [ "pods/log"] 
  verbs:  [ "get",  "قائمة" ,  "watch"] 
-  apiGroups:  [ "" ] 
  موارد :  [ "resourcequotas",  "limitranges"] 
  verbs:  [ "create",  "delete",  "get",  "update"] 
-  apiGroups:  [ "" ] 
  موارد :  [ "namespaces"] 
  verbs:  [ "create",  "get",  "قائمة" ] 
-  apiGroups:  [ "" ] 
  موارد :  [ "serviceaccounts"] 
  verbs:  [ "create",  "get",  "قائمة" ] 
-  apiGroups:  [ "rbac.authorization.k8s.io"] 
  موارد :  [ "الأدوار" ,  "rolebindings"] 
  verbs:  [ "create",  "get",  "قائمة" ,  "patch",  "update"] 
--- 
apiVersion : rbac.authorization.k8s.io/v1 
نوع : ClusterRoleBinding 
البيانات الوصفية : 
  اسم : إيلوم - شراره - cross- Namespace - الربط 
roleRef : 
  apiGroup : rbac.authorization.k8s.io 
  نوع : ClusterRole 
  اسم : إيلوم - شراره - cross- Namespace - role
المواضيع : 
-  نوع :  ServiceAccount
  اسم : إيلوم - لب # Replace with your actual service account name
  Namespace : إيلوم # Replace with your Ilum deployment namespace

Apply the configuration:

kubectl apply -f spark-cross-namespace-clusterrole.yaml

Update Spark Configuration: Modify your Ilum cluster's Spark configuration to allow cross-namespace job execution through ilum-ui

Diagnostic Commands

Check RBAC permissions:

kubectl auth can-i create pods --as=system:serviceaccount:ilum:ilum-core -n ilum

Check service account permissions:

kubectl describe rolebinding spark-submit-ilum-role-binding-ilum -n ilum

Risk Assessment and Mitigation

Security Risks by Mode

Unrestricted Mode Risks

RiskImpactLikelihoodMitigation
Privilege EscalationHighMediumNetwork segmentation, monitoring
Cross-Namespace BreachHighMediumAdditional RBAC controls
Cluster CompromiseCriticalLowDefense in depth, monitoring

Restricted Mode Risks

RiskImpactLikelihoodMitigation
Functionality LimitationMediumHighThorough testing, documentation
Namespace Modification DisabledMediumHighManual RBAC resource creation
Operational ComplexityLowMediumTraining, automation
Namespace Lock-inLowLowProper architecture planning

Risk Mitigation Strategies

  1. Gradual Migration: Implement restricted mode in stages
  2. Comprehensive Testing: Validate all use cases before production
  3. Monitoring Enhancement: Implement security-focused monitoring
  4. توثيق : Maintain clear operational procedures
  5. Training: Ensure team understands security implications

أفضل الممارسات

Security Recommendations

  1. Always Use in Production: Enable restricted RBAC for all production deployments
  2. Regular Audits: Periodically review and audit the granted permissions
  3. Namespace Isolation: Use dedicated namespaces for different environments
  4. Monitor Access: Implement monitoring for unusual permission usage
  5. Clean Migration: Always delete existing ClusterRole/ClusterRoleBinding before upgrade

Operational Guidelines

  1. Test Thoroughly: Always test in non-production environments first
  2. Document Dependencies: Maintain documentation of namespace-specific resources
  3. Backup Configurations: Keep backups of your Helm values and configurations
  4. Monitor Performance: Watch for any performance impacts after enabling
  5. Resource Cleanup: Properly clean up old RBAC resources during migration
  6. Namespace Modification: Be aware that restricted mode disables the ability to change cluster namespaces through the Ilum interface - prepare manual RBAC resources if this functionality is needed

استنتاج

The choice between unrestricted and restricted RBAC modes represents a critical security decision. While unrestricted mode offers operational simplicity, restricted mode provides significant security benefits that align with modern security best practices and compliance requirements.

الوجبات الجاهزة الرئيسية :

  • Critical Warning: Always delete existing ClusterRole and ClusterRoleBinding resources before upgrading to restricted mode
  • Production Recommendation: Restricted mode is strongly recommended for security-conscious production environments
  • Compliance: Restricted mode is likely mandatory for regulated industries
  • هجرة : Follow the gradual migration approach with proper testing and validation

Recommendations:

  • Development/Testing: Unrestricted mode acceptable with proper network isolation
  • إنتاج : Restricted mode strongly recommended for security-conscious environments
  • Compliance-Required: Restricted mode likely mandatory for regulated industries

The restricted RBAC feature provides a significant security enhancement for Ilum deployments by implementing least-privilege access controls. While it may limit some advanced cluster-wide operations, it's the recommended configuration for production environments where security is a primary concern.

موارد إضافية