kubernetes RBAC - ghdrako/doc_snipets GitHub Wiki
Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within your organization.
RBAC consists of three key building blocks: Subject, API Resource, Operations(Verbs)*.Together, they connect API primitives and their allowed operations to the so-called subject which is a user, a group, or a ServiceAccount.
- Subject: The user or process that wants to access a resource.
- Resource: The Kubernetes API resource type e.g. a Deployment or node.
- Verb: The operation that can be executed on the resource e.g. creating a Pod, or deleting a Service.
Creating a Subject
user account, service account, or a group can use as subject.
User Accoutns
| Authentication strategy | Description |
|---|---|
| X.509 client certificate | Uses an OpenSSL client certificate to authenticate. |
| Basic authentication | Uses username and password to authenticate. |
| Bearer tokens | Uses OpenID (a flavor of OAuth2) or webhooks as a way to authenticate. |
Service Account
kubectl create serviceaccount build-bot # create sa
kubectl describe serviceaccount build-bot
kubectl get secrets
Assigning a Service Account to a Pod
kubectl run build-observer --image=alpine --restart=Never \
--serviceaccount=build-bot
or
apiVersion: v1
kind: Pod
metadata:
name: build-observer
spec:
serviceAccountName: build-bot
...
RBAC API Primitives
Within RBAC for Kubernetes, you have four primary resources:
-
Roles
-
ClusterRoles
-
RoleBindings
-
ClusterRoleBindings
-
Role: The Role API primitive declares the API resources and their operations this rule should operate on.
-
RoleBinding: The RoleBinding API primitive binds the Role to the subject(s). It is the glue for making the rules active.
Role and ClusterRole
Roles are permissions that you can give users, groups, and service accounts, and they are namespace scoped. ClusterRole is the same thing as a Role. The only difference is that it’s not namespace scoped.
A Role always sets permissions within a particular namespace; when you create a Role, you have to specify the namespace it belongs in.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
ClusterRole, by contrast, is a non-namespaced resource. The resources have different names (Role and ClusterRole) because a Kubernetes object always has to be either namespaced or not namespaced; it can't be both.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: secret-reader
rules:
- apiGroups: [""]
#
# at the HTTP level, the name of the resource for accessing Secret
# objects is "secrets"
resources: ["secrets"]
verbs: ["get", "watch", "list"]
kubectl get roles # list roles
kubectl describe role read-only # show role details
RoleBinding and ClusterRoleBinding
A RoleBinding is a way that you tie/attach a Role to a user/group/service account. Just as with Roles and ClusterRoles, the only difference is that RoleBindings are namespace scoped and ClusterRoleBindings are not and can be used throughout the cluster.
The following RoleBinding takes the Role reader-pod and attaches it to the miketest service account.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: reader-pod
namespace: ingress
subjects:
- kind: ServiceAccount
name: miketest
apiGroup: ""
roleRef:
kind: Role
name: reader
apiGroup: rbac.authorization.k8s.io
the following ClusterRoleBinding will attach the miketest service account to the
ClusterRole reader-cluster and reference the following ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-pod-global
subjects:
- kind: ServiceAccount
name: miketest
apiGroup: ""
roleRef:
kind: ClusterRole
name: reader-cluster
apiGroup: rbac.authorization.k8s.io
Referring to resources
Referring to subjects
Aggregated ClusterRoles
Existing ClusterRoles can be aggregated to avoid having to redefine a new,composed set of rules that likely leads to duplication of instructions.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: list-pods
namespace: rbac-example
labels:
rbac-pod-list: "true"
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- list
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: delete-services
namespace: rbac-example
labels:
rbac-service-delete: "true"
rules:
- apiGroups:
- ""
resources:
- services
verbs:
- delete
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pods-services-aggregation-rules
namespace: rbac-example
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac-pod-list: "true"
- matchLabels:
rbac-service-delete: "true"
rules: []
Creating Role
$ kubectl create role read-only --verb=list,get,watch \
--resource=pods,deployments,services
or
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: read-only
rules:
- apiGroups:
- ""
resources:
- pods
- services
verbs:
- list
- get
- watch
- apiGroups:
- apps
resources:
- deployments
verbs:
- list
- get
- watch
RoleBuinding
# Create
kubectl create rolebinding read-only-binding --role=read-only -
-user=johndoe
or
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-only-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: read-only
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: johndoe
kubectl get rolebindings # list role buinding
kubectl describe rolebinding read-only-binding # show detail rolebinding
Default User-Facing Roles
| Default ClusterRole | Description |
|---|---|
| cluster-admin | Allows read- and write-access to resources across all namespaces. |
| admin | Allows read- and write-access to resources in namespace including Roles and RoleBindings. |
| edit | Allows read- and write-access to resources in namespace except Roles, and RoleBindings. Provides access to Secrets. |
| view | Allows read-only access to resources in namespace except Roles, RoleBindings, and Secrets. |