Completek8s Classroomnotes 13/Sep/2023

Kubernetes RBAC

  • Building Blocks
    Preview

Service Accounts

  • Service Account is an user account for non human (like AWS roles)
  • Whenever we create a namespace a service account called as default is created
    Preview
  • For every pod create in /var/run/secrets/kubernetes.io/serviceaccount a certificate and token are mounted for access to API Server
  • The credentials donot have permission to access kube apiserver
    Preview
  • Lets create our own service account
kubectl create serviceaccount `qtsa`
  • Lets assign permissions to service account qtsa
kubectl create rolebinding qtsa-readonly \
    --clusterrole view \
    --serviceaccount=default:qtsa \
    --namespace=default

Preview
* Lets specify serviceaccount for this pod

apiVersion: v1
kind: Pod
metadata:
  name: nginx-sa-demo
spec:
  serviceAccountName: qtsa
  containers:
    - name: nginx
      image: nginx

Preview
* Now lets interact with kube-apiserver using the below script

APISERVER=https://kubernetes.default.svc
SERVICEACCOUNT_DIR=/var/run/secrets/kubernetes.io/serviceaccount
TOKEN=$(cat ${SERVICEACCOUNT_DIR}/token)
CACERT=${SERVICEACCOUNT_DIR}/ca.crt
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/default/pods

Preview

  • Security Risk: It is generally recommended to disable automount feature Refer Here. To mitigate Refer Here
  • For RBAC we need to understand Role and RoleBindings
    Preview
  • Rules in ClusterRole or Role are inclusive i.e. they support only allow rules

Create a Role and view what a role can do by binding this to serviceaccount

  • Lets create a role called secret-reader who has access to only read secrets
  • Lets create a role called secret-pod-reader who has access to read both secrets and pods
  • Lets create a
    • service account sr-sa attached (bounded) to secret-reader service account
    • service account spr-sa attached (bounded) to secret-pod-reader service account
  • To view permissions of service account kubectl auth can-i
 kubectl auth can-i --list --as="system:serviceaccount:<namespace>:<service-account-name>"

Preview
Preview
* Refer Here for the specs and Refer Here for the fix with apiGroups
* Apply the specs
Preview
* View the permissions
* secret reader
Preview
Preview

Published
Categorized as Uncategorized Tagged

By continuous learner

devops & cloud enthusiastic learner

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Social Media Icons Powered by Acurax Web Design Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Visit Us On FacebookVisit Us On LinkedinVisit Us On Youtube