We often hear from our customers that to adopt a container and Kubernetes security tool in any mid sized or large organization, separation of duties and least privilege access via RBAC is a must. Admin roles cannot be granted unnecessarily to all teams. If users or groups are routinely granted these elevated privileges, account compromises or mistakes can result in security and compliance violations.
Why is RBAC a requirement for Secure DevOps?
The asks of DevOps teams that use Sysdig can be summarized in a few use cases:
- I want the developers to only have access to their cluster/namespace/application
- I want the security team to access every component, bar account administration and billing sections
- I want to enable external auditors to perform a full security posture assessment, hence provide separate access controls for 3rd parties.
- I want programmatic API access to grant exactly the same level of privileges than UI access, providing an unique API key that validates user identity.
How RBAC works in Sysdig Secure
We have just released the ability to support RBAC and provide federated access control across different teams within your organization. Sysdig Secure RBAC supports 4 different types of users in your organization in addition to the admin role:
- View Only: Read access to every Secure feature within the team scope. A View Only user cannot modify runtime policies, image scanning policies, or any other content.
- Standard User: Can push container images to the scanning queue and view the image scanning reports. Standard Users can also display the runtime security events within the team scope. They cannot access the Benchmarks, Activity Audit. or Policy definition sections of the product.
- Advanced User: Can access every Sysdig Secure feature within the team scope in read and write mode. Advanced Users can create, delete, or update runtime policies, image scanning policies, compliance checks or any other security policies. The Advanced User cannot manage other users.
- Team Manager: Same permissions as the Advanced User + ability to add/delete team members or change team member permissions.
How to setup RBAC
The admin has full access to management capabilities of the platform. Sysdig is an enterprise ready platform with access management functionalities (RBAC, SSO, LDAP, etc). As an admin, you can login to Sysdig Secure admin console and easily create users and teams and assign those users specific roles and access levels inside the teams (view only, standard, advanced or team manager). You can also control global account and billing, agent install, etc.
View Only User
This is meant for a team member or a 3rd party that doesn’t require any write access, and has limited access to the functionalities in Sysdig. This is useful when you need to carve a role for external assessment and audits. Below, you can see the option of editing policies, importing rules etc are all removed. They can i.e.:
- Evaluate your scan results of the image scanning policies
- View the compliance benchmark scores and level of acceptance
- View runtime security events for their applications and examine captures
This user has restricted access to certain functionalities in the platform. This restricted access is scoped by a particular namespace specific to this user, so a developer cannot lurk into other applications or see sensitive cluster level data. A standard user can:
- Submit new images to the scanning queue
- Display image scanning results
- View policy events in the context of their scope (specific namespace, cluster etc)
This user has the responsibility of managing the security posture in your organization. As a result, they have read/write access to all functionalities. They can:
- Create scanning policies, view scan results for the images in their scope, query and report on vulnerabilities
- Schedule compliance assessments
- Create runtime detection and prevention (PSP) policies
- Analyze correlated events across system and k8s api server level in Activity Audit
- Dig into incident response workflows in the policy events section
This user has advanced user access but also has the ability to add/delete team members or change team member permissions.
RBAC is an essential functionality that now enhances Sysdig Secure’s enterprise readiness and allows for separation of duties and least privilege access across teams.