Kubernetes part10
Class 95 Kubernetes Part8 August 23rd
Kubernetes cluster usually different people has access (developer/tester/deployment user..etc)
for them how to give the access is call Rollback access concept.
Kubernetes admin need to decided give the permissions which person to give which permission
Rbac(Rollback access): Iam a developer I want to see the pods, another developer he need delete the pods ,one more Devops guy he need create, delete the pod
Role-Based Access Control (RBAC) is a critical security feature in Kubernetes that allows you to define and manage access to resources based on roles and permissions. RBAC ensures that only authorized users, processes, or services can interact with specific resources within a Kubernetes cluster
For ex:-
Role( Dev ,Tester,Devops(PODS view watch,create,delete, deploy: create,delete, Svc: all)
First we need create the Role create -->then permission--> then attached to developer
Functionality How it will work:
here we attached to user.
IAM (EC2,S3,RDS,VPC) permission(Read,write,delete) for all them we create one policy attached to user attached.
In Kubernetes, there are two types of accounts
1.User Account
2.Service Account
User account: User accounts are used to log into a Kubernetes cluster and manipulate resources therein. Each user account is associated with a unique set of credentials, which are used to authenticate the service’s requests.
Service Account: Kubernetes Service Accounts are specialized accounts used by applications and services running on Kubernetes to interact with the Kubernetes API.
Practical :
in Kubernetes we can not directly create the user , below multiple way to create the user
- client certificates
- bearer tokens
- authenticating proxy
- HTTP basic auth.
I will choose client certificate to create a user which is very easy to create.
This certificates are used to create users. When a user perform any command like kubectl get
po then K8's API will authenticate and authorize the request.
Step1: Generate the certificate, key just like sshkeygen type of the key
lets create a folder: subbu
Generate a key using openssl : openssl genrsa -out subbu.key 2048
Generate a Client Sign Request (CSR) : openssl req -new -key subbu.key -out
subbu.csr -subj "/CN=subbu/O=group1"
Generate the certificate (CRT): openssl x509 -req -in subbu.csr -CA
~/.minikube/ca.crt -CAkey ~/.minikube/ca.key -CAcreateserial -out subbu.crt -days
500
steps to create user.
lets create a user: kubectl config set-credentials subbu --client-certificate=subbu.crt --client-key=subbu.key
[root@ip-10-0-0-29 subbu]# openssl genrsa -out subbu.key 2048
[root@ip-10-0-0-29 subbu]# ls
subbu.key
[root@ip-10-0-0-29 subbu]# openssl req -new -key subbu.key -out subbu.csr -subj "/CN=subbu/O=group1"
[root@ip-10-0-0-29 subbu]# ls -lrt
total 8
-rw-------. 1 root root 1704 Aug 26 14:36 subbu.key
-rw-r--r--. 1 root root 907 Aug 26 14:38 subbu.csr
[root@ip-10-0-0-29 subbu]# openssl x509 -req -in subbu.csr -CA ~/.minikube/ca.crt -CAkey ~/.minikube/ca.key -CAcreateserial -out subbu.crt -days 500
Certificate request self-signature ok
subject=CN=subbu, O=group1
[root@ip-10-0-0-29 subbu]# kubectl config set-credentials subbu --client-certificate=subbu.crt --client-key=subbu.key
User "subbu" set.
Step2: user create successfully, one user to another user to switch we are using context
--Below we get know which user your in current-context minikube and list of users
[root@ip-10-0-0-29 subbu]# kubectl config view
current-context: minikube
users:
- name: minikube
user:
client-certificate: /root/.minikube/profiles/minikube/client.crt
client-key: /root/.minikube/profiles/minikube/client.key
- name: subbu
user:
client-certificate: /root/subbu/subbu.crt
client-key: /root/subbu/subbu.key
Step3: one user to another user to switch required context , As you see above minikube ,has context, subbu user no context ,we need create context for our user
Create context with name my-context
Set a context entry in kubeconfig: kubectl config set-context my-context --cluster=minikube --user=subbu
[root@ip-10-0-0-29 subbu]# kubectl config set-context my-context --cluster=minikube --user=subbu
Context "my-context" created.
[root@ip-10-0-0-29 subbu]# kubectl config view
contexts:
- context:
cluster: minikube
name: context_info
user: minikube
name: minikube
- context:
cluster: minikube
user: subbu
name: my-context
Step4: Switch the context
Switch to devops user: kubectl config use-context my-context
[root@ip-10-0-0-29 subbu]# kubectl config use-context my-context
Switched to context "my-context".
--Now you see we are in my-context
[root@ip-10-0-0-29 subbu]# kubectl config view
current-context: my-context
--we are not give permission just create the user
[root@ip-10-0-0-29 subbu]# kubectl get po
Error from server (Forbidden): pods is forbidden: User "subbu" cannot list resource "pods" in API group "" in the namespace "default"
There are four components to RBAC in Kubernetes:
1.roles
2.Cluster roles
3.role bindings
4.ClusterRolesBinding
We have roles (pods,svc,deploy,create,delete,watch) ,these role attached to user called as rolebinding
Cluster also same roles(pods,svc,deploy,create,delete,watch) ,attached to user called as cluster role binding
If you are giving specific namespace is called role binding .
If you are giving all namespace to give permission is called cluster binding
Permission to give role need to create:
Create specific namespace
Step1:
[root@ip-10-0-0-29 subbu]# kubectl create ns dev
namespace/dev created
You will get the different version of the resource
[root@ip-10-0-0-29 subbu]# kubectl api-resources
Create the role
[root@ip-10-0-0-29 subbu]# vi role.yaml
[root@ip-10-0-0-29 subbu]# cat role.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dev-role
namespace: dev
rules:
- apiGroups: ["*"]
resources: ["pods","service"]
verbs: ["get","list","create"]
[root@ip-10-0-0-29 subbu]# kubectl create -f role.yaml
role.rbac.authorization.k8s.io/dev-role created
Step2: Need to check dev namespace roles create or not
[root@ip-10-0-0-29 subbu]# kubectl get roles -n dev
NAME CREATED AT
dev-role 2025-08-26T15:23:56Z
Step3: Role binding need attached the above role to the user subbu
[root@ip-10-0-0-29 subbu]# cat binding.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev-role-binding
namespace: dev
subjects:
- kind: User
name: subbu
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: dev-role
apiGroup: rbac.authorization.k8s.io
[root@ip-10-0-0-29 subbu]# kubectl create -f binding.yaml
rolebinding.rbac.authorization.k8s.io/dev-role-binding created
Step3: Attached role to user that is called rolebase, now the subbu user has ,able create the pod
let switch user using context
[root@ip-10-0-0-29 subbu]# kubectl config use-context my-context
Switched to context "my-context".
[root@ip-10-0-0-29 subbu]# kubect config view
current-context: my-context
Get error we have give permission to dev tablespace not default tablespace
[root@ip-10-0-0-29 subbu]# kubectl get po
Error from server (Forbidden): pods is forbidden: User "subbu" cannot list resource "pods" in API group "" in the namespace "default"
--See here permission exists
[root@ip-10-0-0-29 subbu]# kubectl get po -n dev
No resources found in dev namespace.
Step4: Lets create the pod ,Successfully create the pod ,able list also
[root@ip-10-0-0-29 subbu]# kubectl run pod-1 --image=nginx -n dev
pod/pod-1 created
[root@ip-10-0-0-29 subbu]# kubectl get pod -n dev
NAME READY STATUS RESTARTS AGE
pod-1 1/1 Running 0 14s
Step5: We have not given delete permission to subbu lets try once .
[root@ip-10-0-0-29 subbu]# kubectl delete pod pod-1 -n dev
Error from server (Forbidden): pods "pod-1" is forbidden: User "subbu" cannot delete resource "pods" in API group "" in the namespace "dev"
Getting error subbu use not having permssion ,let us give permission to subbu, switch minikube
and update the role
Step6:
[root@ip-10-0-0-29 subbu]# kubectl config use-context minikube
Switched to context "minikube".
current-context: minikube
[root@ip-10-0-0-29 subbu]# cat role.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dev-role
namespace: dev
rules:
- apiGroups: ["*"]
resources: ["pods","service"]
verbs: ["get","list","create","delete","watch"]
Step7: apply the role
After applied below command
[root@ip-10-0-0-29 subbu]# kubectl apply -f role.yaml
Warning: resource roles/dev-role is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
role.rbac.authorization.k8s.io/dev-role configured
[root@ip-10-0-0-29 subbu]# kubectl get pod -n dev
NAME READY STATUS RESTARTS AGE
pod-1 1/1 Running 0 61s
[root@ip-10-0-0-29 subbu]# kubectl delete po pod-1 -n dev
pod "pod-1" deleted
Cluster role and Cluster binding
Step1: Delete the role first dev
[root@ip-10-0-0-29 subbu]# kubectl delete role --all -n dev
role.rbac.authorization.k8s.io "dev-role" deleted
Step2:Delete the rolebinding
[root@ip-10-0-0-29 subbu]# kubectl delete rolebinding --all -n dev
rolebinding.rbac.authorization.k8s.io "dev-role-binding" deleted
Step3: now attach the cluster role and cluster binding attach to subbu user
[root@ip-10-0-0-29 subbu]# cat clusterrole.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: devops-role
rules:
- apiGroups: ["*"]
resources: ["pods","service"]
verbs: ["get","list","create","delete","watch"]
[root@ip-10-0-0-29 subbu]# kubectl create -f clusterrole.yaml
clusterrole.rbac.authorization.k8s.io/devops-role created
[root@ip-10-0-0-29 subbu]# cat clusterbinding.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: devops-role-binding
subjects:
- kind: User
name: subbu
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: devops-role
apiGroup: rbac.authorization.k8s.io
[root@ip-10-0-0-29 subbu]# kubectl create -f clusterbinding.yaml
clusterrolebinding.rbac.authorization.k8s.io/devops-role-binding created
Now the user has permission to all namespace
Step4: switched to my-context subbu user
[root@ip-10-0-0-29 subbu]# kubectl config use-context my-context
Switched to context "my-context".
-- See here even default namespace pod also coming
[root@ip-10-0-0-29 subbu]# kubectl get po
NAME READY STATUS RESTARTS AGE
pod-1 0/1 CreateContainerConfigError 0 5d
pod-2 0/1 CreateContainerConfigError 0 5d
pod-3 1/1 Running 7 (4h9m ago) 4d23h
pod-4 1/1 Running 6 (4h9m ago) 4d9h
test-curl 0/1 ImagePullBackOff 0 4d6h
-- See here we can delete the pod's also coming
[root@ip-10-0-0-29 subbu]# kubectl delete pod pod-1
pod "pod-1" deleted
[root@ip-10-0-0-29 subbu]# kubectl delete pod pod-2
pod "pod-2" deleted
-- See here we can create the pod also coming
[root@ip-10-0-0-29 subbu]# kubectl run pod-1 --image=nginx
pod/pod-1 created
[root@ip-10-0-0-29 subbu]# kubectl get po
NAME READY STATUS RESTARTS AGE
pod-1 1/1 Running 0 10s
pod-3 1/1 Running 7 (4h11m ago) 4d23h
pod-4 1/1 Running 6 (4h11m ago) 4d9h
test-curl 0/1 ImagePullBackOff 0 4d6h
Step5: Created one dev namespace one pod , let create one namespace
[root@ip-10-0-0-29 subbu]# kubectl run pod-1 --image=nginx -n dev
pod/pod-1 created
Step6:
[root@ip-10-0-0-29 subbu]# kubectl config use-context minikube
Switched to context "minikube".
--Created one namespace prod
[root@ip-10-0-0-29 subbu]# kubectl create ns prod
namespace/prod created
--Created one pod new namespace prod
[root@ip-10-0-0-29 subbu]# kubectl run pod-2 --image=ubuntu -n prod
pod/pod-2 created
--See here all namespace able to access pod, able create,delete all tablespace
[root@ip-10-0-0-29 subbu]# kubectl get po -n prod
NAME READY STATUS RESTARTS AGE
pod-2 0/1 CrashLoopBackOff 4 (17s ago) 119s
[root@ip-10-0-0-29 subbu]# kubectl get po -n dev
NAME READY STATUS RESTARTS AGE
pod-1 1/1 Running 0 9m23s
--Thanks
No comments:
Post a Comment