438 words
2 minutes
Mastering Kubernetes RBAC - A Hands-On Guide

Role-Based Access Control (RBAC) is a crucial aspect of Kubernetes security. In this hands-on guide, we’ll walk through the process of setting up RBAC, creating roles and role bindings, and testing user permissions in a Kubernetes cluster.

Prerequisites#

  • A Kubernetes cluster
  • kubectl configured with admin access
  • Basic understanding of Kubernetes concepts

Step 1: Setting Up a User#

First, let’s create a new user named ‘krishna’:

Terminal window
openssl genrsa -out krishna.key 2048
openssl req -new -key krishna.key -out krishna.csr -subj "/CN=krishna"

Now, create a CertificateSigningRequest and approve it:

Terminal window
# Create CSR
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: krishna-csr
spec:
request: $(cat krishna.csr | base64 | tr -d '\n')
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 86400 # one day
usages:
- client auth
EOF
# Approve CSR
kubectl certificate approve krishna-csr
# Get the certificate
kubectl get csr krishna-csr -o jsonpath='{.status.certificate}'| base64 -d > krishna.crt

Step 2: Checking Default Permissions#

Switch to the krishna context:

Terminal window
kubectl config set-credentials krishna --client-key=krishna.key --client-certificate=krishna.crt
kubectl config set-context krishna-context --cluster=your-cluster-name --user=krishna
kubectl config use-context krishna-context

Now, try to create a pod:

Terminal window
kubectl run nginx --image=nginx

You should see an error message indicating that krishna doesn’t have permission to create pods.

Step 3: Creating a Role#

Switch back to the admin context:

Terminal window
kubectl config use-context admin-context

Create a Role for reading pods:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]

Apply this Role:

Terminal window
kubectl apply -f pod-reader-role.yaml

Step 4: Creating a RoleBinding#

Create a RoleBinding to associate the Role with krishna:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: krishna
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io

Apply this RoleBinding:

Terminal window
kubectl apply -f read-pods-rolebinding.yaml

Step 5: Testing Permissions#

Switch back to krishna’s context:

Terminal window
kubectl config use-context krishna-context

Now, try these operations:

  1. Create a pod:

    Terminal window
    kubectl run nginx --image=nginx

    Expected: Permission denied

  2. List pods:

    Terminal window
    kubectl get pods

    Expected: Success

  3. Create a deployment:

    Terminal window
    kubectl create deployment nginx-deploy --image=nginx

    Expected: Permission denied

Conclusion#

In this hands-on guide, we’ve walked through the process of implementing RBAC in Kubernetes. We created a new user, defined a Role with specific permissions, bound that Role to our user, and tested the resulting access controls.

Key takeaways:

  1. RBAC allows fine-grained control over what users can do in a Kubernetes cluster.
  2. Roles define permissions, while RoleBindings associate those permissions with users.
  3. Always follow the principle of least privilege when assigning permissions.

Remember, RBAC is a powerful tool for securing your Kubernetes cluster. Use it wisely to ensure that users and services have only the permissions they need to function.


This blog post template provides a step-by-step guide to implementing and understanding RBAC in Kubernetes, based on the task you described. It includes practical commands, explanations of expected outcomes, and key takeaways. The content is structured to be both informative and hands-on, suitable for readers who want to learn by doing.

Mastering Kubernetes RBAC - A Hands-On Guide
https://mranv.pages.dev/posts/kubernetes-rbac-hands-on/
Author
Anubhav Gain
Published at
2024-09-29
License
CC BY-NC-SA 4.0