Configuring RBAC in Kubernetes
In this section, we will explore the process of configuring RBAC in a Kubernetes cluster. We will cover the creation of Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings, as well as how to assign permissions to different subjects (users, groups, and service accounts).
Creating Roles and ClusterRoles
Roles and ClusterRoles define the permissions that can be granted to subjects within a Kubernetes cluster. To create a Role, you can use the following YAML configuration:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
This Role, named pod-reader
, grants the get
, list
, and watch
permissions on Pods in the default
namespace.
To create a ClusterRole, the configuration is similar, but without the namespace
field:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
This ClusterRole, named cluster-admin
, grants full access to all resources across the entire Kubernetes cluster.
Assigning Permissions with RoleBindings and ClusterRoleBindings
Once you have defined your Roles and ClusterRoles, you can assign them to subjects using RoleBindings and ClusterRoleBindings.
A RoleBinding associates a Role with a subject within a namespace:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: alice
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
This RoleBinding grants the pod-reader
Role to the alice
user in the default
namespace.
Similarly, a ClusterRoleBinding associates a ClusterRole with a subject across the entire cluster:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-binding
subjects:
- kind: User
name: alice
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
This ClusterRoleBinding grants the cluster-admin
ClusterRole to the alice
user across the entire Kubernetes cluster.
By combining Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings, you can create a fine-grained access control system that meets the specific needs of your Kubernetes environment.