From 18d9ac2ca0081b25a3328d23a3632f536734fa66 Mon Sep 17 00:00:00 2001 From: marcel-dempers Date: Tue, 14 Sep 2021 12:59:35 +1000 Subject: [PATCH] rbac --- kubernetes/rbac/README.md | 32 ++++++++++++++++++++++++++++---- kubernetes/rbac/pod.yaml | 4 ++-- kubernetes/rbac/role.yaml | 4 ++-- kubernetes/rbac/rolebinding.yaml | 4 ++-- 4 files changed, 34 insertions(+), 10 deletions(-) diff --git a/kubernetes/rbac/README.md b/kubernetes/rbac/README.md index f3262c431..560b3abd3 100644 --- a/kubernetes/rbac/README.md +++ b/kubernetes/rbac/README.md @@ -122,7 +122,7 @@ export KUBECONFIG=~/.kube/new-config Create a cluster entry which points to the cluster and contains the details of the CA certificate: ``` -kubectl config set-cluster dev-cluster --server=https://127.0.0.1:51972 \ +kubectl config set-cluster dev-cluster --server=https://127.0.0.1:52794 \ --certificate-authority=ca.crt \ --embed-certs=true @@ -131,9 +131,9 @@ nano ~/.kube/new-config ``` -kubectl config set-credentials bob --client-certificate=bob.crt --client-key=bob.key +kubectl config set-credentials bob --client-certificate=bob.crt --client-key=bob.key --embed-certs=true -kubectl config set-context dev --cluster=dev-cluster --namespace=shopping --user=bob +kubectl config set-context dev --cluster=dev-cluster --namespace=shopping --user=bob kubectl config use-context dev @@ -144,6 +144,7 @@ Error from server (Forbidden): pods is forbidden: User "Bob Smith" cannot list r ## Give Bob Smith Access ``` +cd kubernetes/rbac kubectl create ns shopping kubectl -n shopping apply -f .\role.yaml @@ -163,9 +164,21 @@ Most business apps will not need to connect to the kubernetes API unless you are Generally applications will use a service account to connect.
You can read more about [Kubernetes Service Accounts](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/). +Let's deploy a service account +``` +kubectl -n shopping apply -f serviceaccount.yaml ``` +Now we can deploy a pod that uses the service account +``` +kubectl -n shopping apply -f pod.yaml +``` +Now we can test the access from within that pod by trying to list pods: + +``` +kubectl -n shopping exec -it shopping-api -- bash + # Point to the internal API server hostname APISERVER=https://kubernetes.default.svc @@ -183,4 +196,15 @@ CACERT=${SERVICEACCOUNT}/ca.crt # List pods through the API curl --cacert ${CACERT} --header "Authorization: Bearer $TOKEN" -s ${APISERVER}/api/v1/namespaces/shopping/pods/ -``` \ No newline at end of file + +# we should see an error not having access +``` + +Now we can allow this pod to list pods in the shopping namespace +``` +kubectl -n shopping apply -f serviceaccount-role.yaml +kubectl -n shopping apply -f serviceaccount-rolebinding.yaml +``` + +If we try run `curl` command again we can see now we are able to get a json +response with pod information diff --git a/kubernetes/rbac/pod.yaml b/kubernetes/rbac/pod.yaml index 1b7d69e8b..9f4f9639b 100644 --- a/kubernetes/rbac/pod.yaml +++ b/kubernetes/rbac/pod.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: Pod metadata: - name: nginx + name: shopping-api spec: containers: - image: nginx - name: nginx + name: shopping-api serviceAccountName: shopping-api diff --git a/kubernetes/rbac/role.yaml b/kubernetes/rbac/role.yaml index b42e20f2b..d5facf272 100644 --- a/kubernetes/rbac/role.yaml +++ b/kubernetes/rbac/role.yaml @@ -2,11 +2,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: shopping - name: pod-reader + name: manage-pods rules: - apiGroups: [""] resources: ["pods", "pods/exec"] verbs: ["get", "watch", "list", "create", "delete"] -- apiGroups: [""] +- apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "watch", "list", "delete", "create"] \ No newline at end of file diff --git a/kubernetes/rbac/rolebinding.yaml b/kubernetes/rbac/rolebinding.yaml index 5ecf3b34e..de2b323e4 100644 --- a/kubernetes/rbac/rolebinding.yaml +++ b/kubernetes/rbac/rolebinding.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: read-pods + name: manage-pods namespace: shopping subjects: - kind: User @@ -9,5 +9,5 @@ subjects: apiGroup: rbac.authorization.k8s.io roleRef: kind: Role - name: pod-reader + name: manage-pods apiGroup: rbac.authorization.k8s.io \ No newline at end of file