RBAC

Role Based Access Control

Step 1: Check the pods

kubectl get pods

Step 2: Create a private key for your user.

cd /etc/kubernetes/pki/

sudo openssl genrsa -out nishanth.key 2048

Step 3: Create a certificate sign request nishanth.csr using the private key you just created

After running the below command, it will ask for details. please provide necessary details.

sudo openssl req -new -key nishanth.key -out nishanth.csr

Step 4: Locate your Kubernetes cluster certificate authority (CA)

cd /etc/kubernetes/pki/

Step 5: Generate the final certificate nishanth.crt by approving the certificate sign request, nishanth.csr, you made earlier

sudo openssl x509 -req -in nishanth.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out nishanth.crt

Save both nishanth.crt and nishanth.key in a safe location. i.e Keep them in a folder from where you can access and have permission on the filesystem

Step 6: Add new credentials for your Kubernetes cluster

kubectl config set-credentials nishanth --client-certificate=nishanth.crt  --client-key=nishanth.key

Step 7: Now use ''nishanth" to check the permissions

kubectl --user=nishanth get pod

Step 8: Create a Role to get the list of pods

cd $HOME

cat <<EOF >> role.yml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: get-pods
rules:
 - apiGroups: ["*"]
   resources: ["pods"]
   verbs: ["list"]
EOF

Step 09: Apply the Role

kubectl apply -f role.yml

Step 10: Apply the role binding

cat <<EOF >> role-binding.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: nishanth-get-pods
subjects:
- kind: User
  name: nishanth
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: get-pods
  apiGroup: rbac.authorization.k8s.io
EOF

kubectl apply -f role-binding.yml

Step 11: Now Verify the Pods

kubectl --user=nishanth get pods

Step 12: Lets try to delete any pod. Be cautious to replace the podname

kubectl --user=nishanth delete pods <<podname>>

Step 13: Delete the role file

rm -rf role.yml

Step 14: Create a new role file with more permissions

cat <<EOF >> role.yml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: get-pods
rules:
 - apiGroups: ["*"]
   resources: ["pods"]
   verbs: ["list","get","watch"]
 - apiGroups: ["extensions","apps"]
   resources: ["deployments"]
   verbs: ["get","list","watch","create","update","patch","delete"]
EOF

Step 15: Apply the Updated role again

kubectl apply -f role.yml

Step 16: Lets Create a new deployment

cat <<EOF >> deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
 name: nginx-deployment
 labels:
   app: nginx
spec:
 replicas: 3
 selector:
   matchLabels:
     app: nginx
 template:
   metadata:
     labels:
       app: nginx
   spec:
     containers:
     - name: nginx
       image: nginx:1.7.9
       ports:
       - containerPort: 80
EOF

Step 17: Check the Pods

kubectl --user=nishanth get po

Step 18: Perform a New Deployment

kubectl --user=nishanth apply -f deployment.yaml

Step 19: Check the List of Pods

kubectl --user=pods get po

Step 20: Check the Single Pod. Change the pod name in command

kubectl --user=nishanth get po <<podname>>

Step 21: Delete any of the running pod and verify. Change the pod name in command

kubectl --user=nishanth delete po <<podname>>

Step 22: Delete the Deployment and Verify

kubectl --user=nishanth delete -f deployment.yaml

PreviousSecurity NextKubebench

Last updated 4 years ago

Was this helpful?