Kubernetes Classroom Series – 29/Jul/2021

Role Based Access Control

  • To properly manage access in k8s it’s critical to understand how identity, roles and role bindings interact to control who can do what with resources.

  • Identity in Kubernetes:

    • Every request that comes to k8s is associated with some identity, Event a request with no identity is associated with system:unauthenticated group.
    • k8s makes a distinction b/w user identities and service account identities
    • Service accounts are created and managed by k8s itself and are generally associated with components running inside cluster
    • User accounts are all other accounts with actual users of cluster, and often include automation like continuous delivery as a service that runs outside of cluster
    • K8s uses a generic interface for authentication providers
    • k8s supports a number of different authentication providers including
      • HTTP Basic Authentication (Largely deprecated)
      • x509 Client Certificates
      • Static token files on the host
      • Cloud Authentication providers like Azure Active Directory and AWS IAM
      • Authentication Web Hooks
    • While most managed k8s installation configure authentication for you, if you are deploying your own authentication yo will need to configure flags on the k8s API Server appropriately

  • Understanding Roles and Role Bindings:

    • Identity is just beginning of authorization in K8s. Once the system knows the identity, it needs to determine if the request is authorized for that user. To achieve this, k8s used the general concept of role and role bindings
    • A role is set of abstract capabilities. For example ability to create Pods, Services etc
    • A role binding is an assignment of a role to one or more identities

  • Roles and Role Bindings in K8s

    • In k8s there are two pairs of related resources that represent role and role binding.
    • One pair applies to just a namespace (Role and RoleBinding) and then other applies across the cluster (ClusterRole and ClusterRoleBinding) Preview Preview Preview
    • Lets examine Role and RoleBinding
    • Sample Role in YAML
      ---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-and-services
rules:
- apiGroups: [""]
    resources:
    - pods
    - services
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
    • Sample Role Binding in YAML
      ---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: default
name: pods-and-services
subjects:
- apiGroup: "rbac.authorization.k8s.io"
    kind: User
    name: tonystark
- apiGroup: "rbac.authorization.k8s.io"
    kind: Group
    name: avengers
roleRef:
apiGroup: "rbac.authorization.k8s.io"
kind: Role
name: pod-and-services
    • Verbs for k8s roles
    Verb HTTP Method Description
    create POST Create a new resources
    delete DELETE Delete an existing resource
    get GET Get a resource
    list GET List a collection of resources
    patch PATCH Modify an existing resource via a partial change
    update PUT Modify an existing resource via a complete object
    watch GET Watch for streaming updates to a resource
    proxy GET Connect to resource via streaming WebSocket Proxy

  • Using built-in roles: K8s has a large number of built-in cluster roles kubectl get clusterroles

    • While most of the built-in-roles are for system utilities, four are designed for generic end users
    • The cluster-admin role provides the complete access to the entire cluster
    • The admin role proved complete access to a complete namespace
    • The edit role allows an end user to modify things in a namespace
    • The view role allows for read-only access to a namespace

  • Testing Authorization with can-i:

    • This tool is very useful for testing if a particular user can do particular action Preview

  • Note: Fix for inventory Service issue

FROM python:3-alpine3.13
LABEL author="khaja"
LABEL organization="qualitythought"
ARG HOME_DIR='/inventory-service'
ADD . ${HOME_DIR}
ENV MYSQL_USERNAME='qtdevops'
ENV MYSQL_PASSWORD='qtdevops'
ENV MYSQL_SERVER='localhost'
ENV MYSQL_DATABASE='qtinvsrv'
EXPOSE 8080
WORKDIR ${HOME_DIR}
RUN apk add build-base
RUN apk add --update py-pip
RUN apk add py-cryptography
RUN apk add gcc musl-dev python3-dev libffi-dev libressl-dev cargo
RUN pip install cryptography
RUN pip install -r requirements.txt
ENTRYPOINT [ "python", "app.py" ]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Social Network Integration by Acurax Social Media Branding Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Visit Us On FacebookVisit Us On LinkedinVisit Us On Youtube