Security

Breakglass

Just-In-Time Privilege Access Management for Kubernetes. Request, approve, and audit temporary elevated permissions with automatic expiration.

Learn More Get Started

Overview

Breakglass implements Just-In-Time Privilege Access Management.
Users create PrivilegeRequest resources specifying the role they need, duration, and justification. Policies evaluate requests and either auto-approve, require manual approval, or deny based on configurable rules.

When approved, the operator automatically creates RoleBindings or ClusterRoleBindings with precise expiration times. Every action taken during the elevated privilege window is captured in AuditLog resources and can be exported to external systems. When the duration expires, bindings are automatically removed; no manual cleanup required.

Features

Policy-Driven Approval

Define PrivilegePolicy resources with priority-based evaluation. Match requests by user, group, service account, role, namespace, or time window. Configure auto-approve, manual approval, or deny modes.

Multi-Approver Workflows

Require multiple approvers with configurable thresholds and deadlines. Approvers are validated against policy-defined users and groups.

Automatic RBAC Lifecycle

RoleBindings and ClusterRoleBindings are created on approval with owner references for cleanup. Bindings include metadata annotations for traceability. Automatic deletion on expiration or revocation.

Audit Log Export

Capture API server events during privilege windows via OpenShift Logging integration. Export to S3, Elasticsearch, Loki, or custom webhooks with configurable retry policies.

Escalation Prevention

Block cluster-admin grants by default. Define forbidden roles that can never be granted. Defense-in-depth validation at both webhook and controller levels.

Rate Limiting & Constraints

Limit concurrent active grants per user. Enforce cooldown periods between requests. Set maximum durations and require ticket references for compliance.

Use Cases

Incident Response

SREs request temporary view or admin access to production with a ticket reference. Multi-approver policies ensure oversight. All actions are audited and exported to SIEM for post-incident review.
Scheduled Maintenance

Configure time window policies that auto-approve requests during maintenance windows. DBAs get temporary elevated access to database namespaces with automatic expiration after the window closes.
Developer Debugging

Developers request short-duration edit access to development namespaces. Auto-approve policies for dev environments eliminate friction while still maintaining audit trails.
CI/CD Pipeline Escalation

Service accounts request temporary deployment permissions. Manual approval gates deployments to production. Bindings expire after the deployment window with full traceability.

Custom Resources

PrivilegeRequest

Request temporary elevated privileges. Specify subject (User, Group, or ServiceAccount), role, scope (cluster-wide or namespaces), duration, and reason. Tracks lifecycle through Pending, Approved, Active, Expired, or Revoked phases.
PrivilegeApproval

Explicit approval or denial of a PrivilegeRequest. Created by authorized approvers. Validated against policy rules and accumulated until threshold is met or a denial occurs.
PrivilegePolicy

Cluster-scoped policy defining approval rules. Configure selectors for matching requests, approval mode, constraints (max duration, ticket requirements, cooldowns), and authorized approvers with minimum thresholds.
AuditLog

Captures API events during a privilege window. Linked to PrivilegeRequest. Stores events array, export status per destination, and finalization state. Automatically cleaned up after configurable retention period.
BreakglassConfig

Cluster-scoped global configuration. Define defaults (max duration, cleanup retention, approval timeout), security settings (forbidden roles, rate limits), and audit export destinations with retry policies.

Example Workflow

Here's how a typical privilege request flows through the system:

# 1. User creates a PrivilegeRequest
  oc apply -f - <<EOF
  apiVersion: breakglass.cosmosdevops.co.uk/v1alpha1
  kind: PrivilegeRequest
  metadata:
    name: incident-response-123
    namespace: default
  spec:
    subject:
      kind: User
      name: [email protected]
    roleRef:
      kind: ClusterRole
      name: view
    scope:
      clusterWide: true
    duration: 2h
    reason: "Investigating pod crashes in payment service"
    ticketRef: "INC-12345"
  EOF

  # 2. Approver creates an approval
  oc apply -f - <<EOF
  apiVersion: breakglass.cosmosdevops.co.uk/v1alpha1
  kind: PrivilegeApproval
  metadata:
    name: approve-incident-123
    namespace: default
  spec:
    privilegeRequestRef: incident-response-123
    decision: Approved
    reason: "Verified incident ticket, approving temporary access"
  EOF

  # 3. Check status - bindings created, user has access
  oc get privilegerequest incident-response-123 -o jsonpath='{.status.phase}'
  # Output: Active

  # 4. After 2 hours, access automatically revoked
  oc get privilegerequest incident-response-123 -o jsonpath='{.status.phase}'
  # Output: Expired

Get Started with Breakglass

Implement Just-In-Time privilege access with policy-driven approvals, automatic expiration, and comprehensive audit trails.

Get Started

Overview

Features

Policy-Driven Approval

Multi-Approver Workflows

Automatic RBAC Lifecycle

Audit Log Export

Escalation Prevention

Rate Limiting & Constraints

Use Cases

Incident Response

Scheduled Maintenance

Developer Debugging

CI/CD Pipeline Escalation

Custom Resources

PrivilegeRequest

PrivilegeApproval

PrivilegePolicy

AuditLog

BreakglassConfig

Example Workflow

Get Started with Breakglass