X
17Apr

Kubernetes RBAC (Role Based Access Control)

The Kubernetes RBAC (role bases access control) system helps us in defining set of rules in controlling the access among users across resources. Kubernetes cluster by default has two name spaces, “default” and “kube-system”. Creation of additional namespaces is also possible for organizing and separation of work based on our purpose which I have already explained in previous blog on namespaces (“refer that for more details”).

Access granting can be done either at cluster level or within in a namespace, to grant access at cluster level we need cluster roles. For a particular namespace we can use regular role. How to create a role in K8S, we do that by creating role object. Create a role definition file with apiVersion set to rabc.authorization.k8s.io/v1 and set kind to role.in this case we named the role as shanmukha, as we are creating role for Shanmukha and then specify the rules. Each rule has three sections api groups, resources, and verbs, for core api groups we can leave apiVersion as blank, for any other specify the group name. will specify to what resources we have access and actions that they can do, set under verbs, we can add multiple rules as well for a single role. Role definition YAML looks like below

Role.definition.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
 name: shanmukha
rules:
- apiGroups: [""]
  resources: ["Pods"]
  verbs: ["list" "get" "create" "watch"]
- apiGroups: [""]
  resources: ["configMap"]
  verbs: ["create']
then create a role by kubectl create -f role.defintion.yaml

Next step will be to link the user to the role, for this we create another object called ROLE BINDING, we will name it as shanmukha-aksuser-binding.yaml , kind set to RoleBinding, it has two sections subjects and roleRef. Subjects; where we will define user details, roleRef will provide details of role what we have created, role binding YML looks as below

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata: 
 name: shanmukha-aksuser-binding
subjects:
- kind: User
  name: shanmukha
  apiGroup: rbac.authorization.k8s.io
roleRef:
 kind: Role
 name: shanmukha
 apiGroup: rbac.authorization.k8s.io
create the role binding using  #kubectl create -f shanmukha.aksuser.binding.yml

As I mentioned already, the roles and role binding falls under the scope of namespaces, if you want to specify the namespaces for roles and role binding add namespaces under metadata

some kube controls are:

kubectl get roles
kubectl get rolebindings
kubectl describe role shanmukha
kubectl describe rolebinding  shanmukha-aksuser-binding

what if you being an user and you want to check weather you got access to particular resources or not, for that execute

kubectl auth can-i create deployments
kubectl auth can-i  watch pods

if you want to test it rather authenticating it, in that case execute

kubectl auth can-i create deployments  --as dev-user

you can also provide namespace as well

kubectl auth can-i create deployments  --as dev-user –namespace 

if you want to give access to specific pods in resources, for example assume you have pods A B C D rather than giving access to giving entire resource we can restrict the access levels to particular pods like

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
 name: shanmukha
rules:
- apiGroups: [""]
  resources: ["Pods"]
  verbs: ["list" "get" "create" "watch"]
  resourceNames: ["A" "B" "c"]

permissions are purely additive { there are no “deny” rules} for more info refer Kubernetes.io

you can test the manifest file of rbac objects, for what would be the displaying changes that would be made

kubectl auth reconcile -f < yaml file> --dry-run=client

Related

Volume Management in Kubernetes

Since pods created in k8s are ephemeral, we are able to get the data as long as pods are alive, but ...

Read More >

Quick Understanding on Stateful Sets in Kubernetes

Stateful sets are similar to deployments, they can scale up and scale down, they can perform rolling...

Read More >

How to do Installation of K8S using kubeadm?

Till now I have given blogs on k8s objects, services, namespaces, ingress etc. but where to execute ...

Read More >

HOW TO DO BACKUP AND RESTORE ENTIRE K8S CLUSTER?

If you have deployed different applications on k8s cluster using various objects like deployments, p...

Read More >

Taints and Tolerations

Taints and tolerations are used to restrict the pods to schedule them onto respective nodes. There i...

Read More >

Node Selector

Assume you have 3 nodes cluster of which two of them are having lower hardware resources and one of ...

Read More >

NODE AFFINITY

The k8s node affinity feature is to ensure pods are hosted on a particular node. As mentioned in pre...

Read More >

What is ingress and what are the components of it?

Ingress is a resource, which exposes the http and https from external sources to the services within...

Read More >

Namespaces in Kubernetes

A default namespace is created automatically when the cluster is being setup. To isolate or prevent ...

Read More >

Services and Blue-Green Deployment Strategy

In this article, we’ll briefly focus on services and blue-green deployment strategy.What is a servi...

Read More >

Share

Try DevOpSmartBoard Ultimate complete Azure DevOps End-to end reporting tool

Sign Up

  • Recent
  • Popular
  • Tag
Tags
Monthly Archive
Subscribe
Name

Text/HTML
Text/HTML
Contact Us
  • *
  • *