Labelbox Kubernetes Access Management Case Study

This case study details the implementation of risk-based access management at Labelbox, a provider of AI data services. The objective was to enhance security by transitioning from excessive Kubernetes privileges to a Just-in-Time role-based access control (RBAC) system. The Sr. DevSecOps Engineer, Aaron Bacchi, identified that engineers had unnecessary access to privileged Google roles, which posed security risks. By interviewing engineers and understanding their access needs, he created fine-grained custom RBAC roles that provided necessary privileges for specific tasks. This approach allowed for temporary, monitored access to Kubernetes pods, significantly reducing risk without hindering productivity. The case study outlines the transition process, including the gradual removal of high-privilege roles and the establishment of automated approval processes for medium-risk actions. It concludes with future plans for enhancing access management and training for engineers to improve transparency and productivity while maintaining security.