Role-Base Authorization in Kubernetes

Posted on by Jay Jo

How to create a role in Kubernetes?

You can create a role object.

https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within your organization.

Role example

Here’s an example Role in the “default” namespace that can be used to grant read access to pods:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: developer
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

We need the role pod-reader as we are creating the role for pod-reader and then we specify rules.

Each rule has three sections

  • apiGroups
  • resources
  • verbs

Also we can create multiple rules for a single role.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: developer
rules:
  - apiGroups: [""] # "" indicates the core API group
    resources: ["pods"]
    verbs: ["get", "watch", "list", "create", "update", "delete"]
  - apiGroups: [""] # "" indicates the core API group
    resources: ["ConfigMap"]
    verbs: ["create"]

Create the role using the kubectl create role command

$ kubectl create -f developer-role.yaml
role.rbac.authorization.k8s.io/developer created
$ kubectl get role
NAME        AGE
developer   26s

Link the user to the role.

For this we create another object called RoleBinding. The role binding object links a user object to a role.

RoleBinding examples

Here is an example of a RoleBinding that grants the “developer” Role to the user “dev-user” within the “default” namespace. This allows “dev-user” to read pods in the “default” namespace.

apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "developer" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
  # You can specify more than one "subject"
  - kind: User
    name: dev-user # "name" is case sensitive
    apiGroup: rbac.authorization.k8s.io
roleRef:
  # "roleRef" specifies the binding to a Role / ClusterRole
  kind: Role #this must be Role or ClusterRole
  name: developer # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io
$ kubectl create -f developer-binding.yaml
rolebinding.rbac.authorization.k8s.io/read-pods created
$ kubectl get rolebindings
NAME        AGE
read-pods   108s

Now the developer gets access to pods and configmaps within the default namespace.

View the details about the role and rolebinding

$ kubectl describe role developer
Name:         developer
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  ConfigMap  []                 []              [create]
  pods       []                 []              [get watch list create update delete]
$  kubectl describe rolebinding read-pods
Name:         read-pods
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"read-pods","namespace":"default"},"...
Role:
  Kind:  Role
  Name:  developer
Subjects:
  Kind  Name      Namespace
  ----  ----      ---------
  User  dev-user

Check Access (admin user)

$ kubectl auth can-i create deployments
yes
$ kubectl auth can-i delete nodes
Warning: resource 'nodes' is not namespace scoped
yes
$ kubectl auth can-i create pods --as dev-user
yes
$ kubectl auth can-i delete nodes --as dev-user
Warning: resource 'nodes' is not namespace scoped
no
# with specific namespace.
$ kubectl auth can-i create pods --as dev-user --namespace prod
no

Leave a Reply

Your email address will not be published.

ANOTE.DEV