Completek8s Classroomnotes 17/Aug/2023

What is Namespace in k8s?

  • Namespace are a way to organize cluster into virtual sub-clusters.
  • In k8s all the api-resources supported by k8s api server are returned by command and the response contains the Namespaced section
kubectl api-resources



* When to use namespaces
* Allowing teams or projects to exist in their own virtual cluster
* Enahanding rbac controls by limiting users and processes to certain namespaces

Namespace wide and Cluster wide RBAC

  • Role and RoleBindings apply to a particular namespace
  • For a cluster wide definition, k8s offers
    • ClusterRole
    • ClusterRoleBinding

Activity

  • Create two users (openss)
    • ironman
    • batman
  • Create one service account jarvis
  • Create a new namespace called as qa
  • Give the permission to batman to create,list,watch,delete on namespace qa
    • pods
    • deployments
    • services
  • Give the permissions to ironman to create list watch delete in any namespace for
    • pods
    • deployments
    • services
    • daemonsets
    • statefulsets
  • Give the same permissions to jarvis
  • set the kubectl context for ironman,batman
mkdir certs && cd certs
openssl genrsa -out ironman.key 2048
openssl genrsa -out batman.key 2048

openssl req -new -key ironman.key -out ironman.csr -subj "/CN=ironman/O=avengers"
openssl req -new -key batman.key -out batman.csr -subj "/CN=batman/O=justiceleague"

openssl x509 -req -in ironman.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ironman.crt -days 365

openssl x509 -req -in batman.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out batman.crt -days 365

kubectl config set-credentials ironman --client-certificate=ironman.crt --client-key=ironman.key
kubectl config set-credentials batman --client-certificate=batman.crt --client-key=batman.key

kubectl config set-context ironman-context --cluster=kubernetes --user=ironman
kubectl config set-context batman-context --cluster=kubernetes --user=batman
  • jarvis service account yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jarvis
  • create a namespace called as qa
---
apiVersion: v1
kind: Namespace
metadata:
  name: qa
spec: {}
  • Create a role called as justiceleague 
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: justiceleague
  namespace: qa
rules:
  - apiGroups:
      - ""
    resources:
      - pods
      - services
    verbs: ["*"]
  - apiGroups:
      - apps
    resources:
      - deployments
    verbs: ["*"]
  • Create a role binding
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: justiceleague-binding
  namespace: qa
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: justiceleague
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: batman
  • Create a clusterrole called as avengers
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: avengers
rules:
  - apiGroups:
      - ""
    resources:
      - pods
      - services
    verbs: ["*"]
  - apiGroups:
      - apps
    resources:
      - deployments
      - daemonsets
      - statefulsets
    verbs: ["*"]
  • Create a cluster role binding
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: avengers-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: avengers
subjects:
  - kind: User
    name: ironman
  - kind: ServiceAccount
    name: jarvis
    namespace: default
  • Lets create two deployments
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: qa-nginx-deployment
  labels:
    app: nginx
  namespace: qa
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80

Exercise

  • create a kubeadm cluster single-master
  • create a user ironman with clusterlevel permissions
  • create a kubeconfig for this user
  • create a new linux machine and install kubectl and use the above generated kubeconfig and check if you can interact with k8s cluster using kubeconfig of ironman
  • Also try from external network
Published
Categorized as Uncategorized Tagged

By continuous learner

devops & cloud enthusiastic learner

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Animated Social Media Icons by Acurax Responsive Web Designing Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%