Role-Based Access Control (RBAC) is a crucial aspect of Kubernetes security. In this hands-on guide, we’ll walk through the process of setting up RBAC, creating roles and role bindings, and testing user permissions in a Kubernetes cluster.
Prerequisites
- A Kubernetes cluster
kubectlconfigured with admin access- Basic understanding of Kubernetes concepts
Step 1: Setting Up a User
First, let’s create a new user named ‘krishna’:
openssl genrsa -out krishna.key 2048
openssl req -new -key krishna.key -out krishna.csr -subj "/CN=krishna"Now, create a CertificateSigningRequest and approve it:
# Create CSR
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: krishna-csr
spec:
request: $(cat krishna.csr | base64 | tr -d '\n')
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 86400 # one day
usages:
- client auth
EOF
# Approve CSR
kubectl certificate approve krishna-csr
# Get the certificate
kubectl get csr krishna-csr -o jsonpath='{.status.certificate}'| base64 -d > krishna.crtStep 2: Checking Default Permissions
Switch to the krishna context:
kubectl config set-credentials krishna --client-key=krishna.key --client-certificate=krishna.crt
kubectl config set-context krishna-context --cluster=your-cluster-name --user=krishna
kubectl config use-context krishna-contextNow, try to create a pod:
kubectl run nginx --image=nginxYou should see an error message indicating that krishna doesn’t have permission to create pods.
Step 3: Creating a Role
Switch back to the admin context:
kubectl config use-context admin-contextCreate a Role for reading pods:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]Apply this Role:
kubectl apply -f pod-reader-role.yamlStep 4: Creating a RoleBinding
Create a RoleBinding to associate the Role with krishna:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: krishna
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.ioApply this RoleBinding:
kubectl apply -f read-pods-rolebinding.yamlStep 5: Testing Permissions
Switch back to krishna’s context:
kubectl config use-context krishna-contextNow, try these operations:
-
Create a pod:
kubectl run nginx --image=nginxExpected: Permission denied
-
List pods:
kubectl get podsExpected: Success
-
Create a deployment:
kubectl create deployment nginx-deploy --image=nginxExpected: Permission denied
Conclusion
In this hands-on guide, we’ve walked through the process of implementing RBAC in Kubernetes. We created a new user, defined a Role with specific permissions, bound that Role to our user, and tested the resulting access controls.
Key takeaways:
- RBAC allows fine-grained control over what users can do in a Kubernetes cluster.
- Roles define permissions, while RoleBindings associate those permissions with users.
- Always follow the principle of least privilege when assigning permissions.
Remember, RBAC is a powerful tool for securing your Kubernetes cluster. Use it wisely to ensure that users and services have only the permissions they need to function.
This blog post template provides a step-by-step guide to implementing and understanding RBAC in Kubernetes, based on the task you described. It includes practical commands, explanations of expected outcomes, and key takeaways. The content is structured to be both informative and hands-on, suitable for readers who want to learn by doing.