notes blog about

You can do k8s access control via:

Overview

image

Groups and users

Service account

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
---
apiVersion: v1
kind: Pod
metadata:
  name: build-observer
spec:
  serviceAccountName: build-bot
...

Authentication depends on the cluster provider.

image

RBAC primitives

image

In Kubernetes, permissions are additive; users start with no permissions, and you can add permissions using Roles and RoleBindings. You can’t subtract permissions from someone who already has them.

Role

There are some defaults:

image

or you can create your own:

# role that grants read access to secrets in any namespace
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

RoleBinding

# daisy can edit stuff in demo namespace only
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: daisy-edit
  namespace: demo
subjects:
- kind: User
  name: daisy
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
kubectl get rolebindings.rbac.authorization.k8s.io --all-namespaces

Commands

Find out whether RBAC is enabled on a cluster (one line for each control node):

$ k describe pod -n kube-system -l component=kube-apiserver | grep authorization
      --authorization-mode=Node,RBAC
      --authorization-mode=Node,RBAC
      --authorization-mode=Node,RBAC

Basic user access management:

# check the permissions assigned to user johndoe
k auth can-i list pods --as johndoe

# assign new permissions to user johndoe
k create role pod-reader -n default --resource=pods --verb=watch,list,get
k create rolebinding read-pods -n default --role=pod-reader --user=johndoe

Basic service account access management:

k create serviceaccount api-access -n apps
k create clusterrole api-clusterrole --resource=pods --verb=watch,list,get
k create clusterrolebinding api-clusterrolebinding --clusterrole=api-clusterrole --serviceaccount=apps:api-access

Sources