kubernetes RBAC
- Users and groups are not stored in etcd, and are meant for processing outside the cluster. Service accounts exists as objects in k8s and are used by processes running inside of the cluster.
- User is meant to be managed by administrator of k8s cluster and distributes the credentials to the user by some external process
- Authentication strategies
- X.509 client certificate (openssl certificates)
- Basic authentication (username and password)
- Bearer tokens (OpenId)
Activity: Creation of user in k8s cluster using OpenSSL
- Login into k8s control plane node and create a temporary directory to store keys
mkdir cert
cd cert
- Now create a private key for user muthu
openssl genrsa -out muthu.key 2048
* Create a CSR
openssl req -new -key muthu.key -out muthu.csr -subj "/CN=muthu/O=learning"
- Sign the CSR with k8s cluster certificate authortity which is usually found in directory
/etc/kubernetes/pkiand we need two filesca.crt&ca.key
openssl x509 -req -in muthu.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out muthu.crt -days 180
* As a cluster admin, create a user in k8s by setting user entry kubeconfig for muthu and point to the cr and key file.
kubectl config set-credentials muthu --client-certificate=muthu.crt --client-key=muthu.key
kubectl config set-context muthu-context --cluster=kubernetes --user=muthu
* We can swith context
kubectl config use-context muthu-context
Activity: Create a Service Account
- Service Account represents some application/Pod/whatever running inside k8s cluster and needs to access k8s api’s
- kubernetes cluster comes with a service account called as
defaultwhich lives indefaultname space. - Any pod which we create where we don’t explicitly assign a service account uses the defaul service account.
- Lets create a service account called as
robo
apiVersion: v1
kind: ServiceAccount
metadata:
name: robo
automountServiceAccountToken: true
* Assigning a Service account to a pod
---
apiVersion: v1
kind: Pod
metadata:
name: robotrails
spec:
serviceAccountName: robo
containers:
- name: nginx
image: nginx
Understanding RBAC
- k8s API Primitives
- Role:
- This Role API Primitive declares the API Resources and their operations this rule should operate on.
- Eg:
- allow listing and creating pods
- allow watching logs
- any operation that is not declared explicitly is denied
- RoleBinding:
- This API Primivtive binds the Role object ot the Subject(s)
- This API Primivtive binds the Role object ot the Subject(s)
- Role:
- Default user-facing roles
- cluster-admin: Allows read, write acess to all resources across all namespaces
- admin: Allows read and write access to resources in namespace including Roles and RoleBindigs
- edit: Allows read and write access to resources in namespace except Roles and RoleBindigs
- view: Allows read access to resources in namespace except Roles and RoleBindigs
Activity Create role
- Lets create a role called
formality - imperative way
kubectl create role --help
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: formality
rules:
- apiGroups:
- ""
resources:
- pods
- services
verbs:
- list
- get
- watch
- apiGroups:
- apps
resources:
- deployments
verbs:
- list
- get
- watch
Activity Create Role Binding
- For imperative
kubectl create rolebinding --help - Lets create a role binding for user muthu and service account robo to have formality role
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: formality-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: formality
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: muthu
- kind: ServiceAccount
name: robo
- Now change context to muthu-context
- get pods,deployments should work, try getting nodes, daemonsets etc it should fail.
- Note: try creating the role binding and other experiments
