Login Book a demo

Labelbox Secures Kubernetes Access with Apono

Labelbox

Download Case Study
decor

Securing Kubernetes Access

Case study Labelbox

Labelbox is the data factory for generative AI, providing high-quality, differentiated data to leading model builders and enterprise AI teams. Labelbox customers include Fortune 500 enterprises and leading AI labs. 

 

 

200

Head Count

San Francisco

Locations

The Challenge

Excessive Kubernetes Privileges Expanded Access Risk

A significant user of Kubernetes, Labelbox engineers retained access to privileged, infrequently needed Google roles that allowed them to perform risky actions on pods, including editing and viewing secrets. 

“We required a solution to eliminate excessive standing access without slowing down engineers’ work.”

Labelbox’s Sr. DevSecOps Engineer Aaron Bacchi

 

Enforce JIT and Just Enough Access Today

Start For Free

The Results

Implementing Risk-based Access Management

In adopting a Just-in-Time approach that eliminated his risk from standing access to sensitive Kubernetes pods, Aaron had the breathing room to implement risk-based tiering for Labelbox’s access policies
.

For low-risk resources in the development stage, all users retained view-only privileges. The friction level was also ratcheted up as the risk level rose with the range of actions a user could take in increasingly sensitive environments. Aaron created policies for automated approval of medium-risk actions requestable through Apono.

Enhanced Security

By implementing Just-in-Time (JIT) access controls and granular RBAC roles, Labelbox reduced its attack surface by 98% and eliminated overprivileged access, significantly mitigating security risks.

Improved Developer Productivity

Developers retained seamless access to necessary resources without delays through automated approval processes for low- and medium-risk actions, enabling efficient workflows while maintaining security.

Streamlined Access Management

Apono simplified the management of time-bound and role-specific access to critical resources like Kubernetes and databases, reducing manual intervention and operational complexity.

Book a demo

“I was able to create fine-grained custom RBAC roles in Kubernetes that provide exactly the privileges needed for specific tasks, and then I manage access to those roles via Apono. Now, engineers can combine narrow roles together like Lego bricks to achieve their goals”

Aaron Bacchi

Sr. DevSecOps Engineer

The Outcome

Labelbox achieved a secure, efficient, and compliant access management system that balanced developer productivity with robust risk reduction.

Minimized Risk Exposure

By transitioning to temporary, requestable access for sensitive roles, Labelbox significantly reduced the potential impact of account takeovers and unauthorized actions.

Audit-Ready

The adoption of risk-based tiering and fully monitored access flows enhanced compliance with security policies and streamlined interactions with auditors.

Operational Scalability

The ability to manage access flows dynamically allowed Labelbox to easily adapt policies as new teams and services were introduced, ensuring sustainable growth.

Book a demo

“My manager was excited about tightening up our Kubernetes security”

Aaron Bacchi

Sr. DevSecOps Engineer