Prerequisites#

• A Kubernetes cluster
• kubectl configured with admin access
• Basic understanding of Kubernetes concepts

Step 1: Setting Up a User#

First, let’s create a new user named ‘krishna’:

1
openssl genrsa -out krishna.key 2048
2
openssl req -new -key krishna.key -out krishna.csr -subj "/CN=krishna"

Now, create a CertificateSigningRequest and approve it:

1
# Create CSR
2
cat <<EOF | kubectl apply -f -
3
apiVersion: certificates.k8s.io/v1
4
kind: CertificateSigningRequest
5
metadata:
6
  name: krishna-csr
7
spec:
8
  request: $(cat krishna.csr | base64 | tr -d '\n')
9
  signerName: kubernetes.io/kube-apiserver-client
10
  expirationSeconds: 86400  # one day
11
  usages:
12
  - client auth
13
EOF
14

15
# Approve CSR
16
kubectl certificate approve krishna-csr
17

18
# Get the certificate
19
kubectl get csr krishna-csr -o jsonpath='{.status.certificate}'| base64 -d > krishna.crt

Step 2: Checking Default Permissions#

Switch to the krishna context:

1
kubectl config set-credentials krishna --client-key=krishna.key --client-certificate=krishna.crt
2
kubectl config set-context krishna-context --cluster=your-cluster-name --user=krishna
3
kubectl config use-context krishna-context

Now, try to create a pod:

1
kubectl run nginx --image=nginx

You should see an error message indicating that krishna doesn’t have permission to create pods.

Step 3: Creating a Role#

Switch back to the admin context:

1
kubectl config use-context admin-context

Create a Role for reading pods:

1
apiVersion: rbac.authorization.k8s.io/v1
2
kind: Role
3
metadata:
4
  namespace: default
5
  name: pod-reader
6
rules:
7
  - apiGroups: [""]
8
    resources: ["pods"]
9
    verbs: ["get", "watch", "list"]

Apply this Role:

1
kubectl apply -f pod-reader-role.yaml

Step 4: Creating a RoleBinding#

Create a RoleBinding to associate the Role with krishna:

1
apiVersion: rbac.authorization.k8s.io/v1
2
kind: RoleBinding
3
metadata:
4
  name: read-pods
5
  namespace: default
6
subjects:
7
  - kind: User
8
    name: krishna
9
    apiGroup: rbac.authorization.k8s.io
10
roleRef:
11
  kind: Role
12
  name: pod-reader
13
  apiGroup: rbac.authorization.k8s.io

Apply this RoleBinding:

1
kubectl apply -f read-pods-rolebinding.yaml

Step 5: Testing Permissions#

Switch back to krishna’s context:

1
kubectl config use-context krishna-context

Now, try these operations:

1. Create a pod:

   1
   kubectl run nginx --image=nginx
   

   Expected: Permission denied

2. List pods:

   1
   kubectl get pods
   

   Expected: Success

3. Create a deployment:

   1
   kubectl create deployment nginx-deploy --image=nginx
   

   Expected: Permission denied

Conclusion#

In this hands-on guide, we’ve walked through the process of implementing RBAC in Kubernetes. We created a new user, defined a Role with specific permissions, bound that Role to our user, and tested the resulting access controls.

Key takeaways:

1. RBAC allows fine-grained control over what users can do in a Kubernetes cluster.
2. Roles define permissions, while RoleBindings associate those permissions with users.
3. Always follow the principle of least privilege when assigning permissions.

Remember, RBAC is a powerful tool for securing your Kubernetes cluster. Use it wisely to ensure that users and services have only the permissions they need to function.

This blog post template provides a step-by-step guide to implementing and understanding RBAC in Kubernetes, based on the task you described. It includes practical commands, explanations of expected outcomes, and key takeaways. The content is structured to be both informative and hands-on, suitable for readers who want to learn by doing.