Role-Based Access Control on Kubernetes

Introduction

In a Kubernetes cluster, Role-Based Access Control (RBAC) is used to control access to resources and operations within the cluster. RBAC allows cluster administrators to define roles and permissions for users, groups, and service accounts to control access to resources and operations within the cluster. In this lab, you will learn how to use RBAC to control access to resources in a Kubernetes cluster.

Skills Graph

Create a Namespace

Create a new namespace called myapp using the following command:

kubectl create namespace myapp

Create a Role

Create a new Role called myapp-reader in the myapp namespace that allows users to read pods and services in the namespace using the following YAML file called myapp-reader-role.yaml:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: myapp
  name: myapp-reader
rules:
  - apiGroups: [""]
    resources: ["pods", "services"]
    verbs: ["get", "watch", "list"]

This Role allows users to read (get, watch, and list) pods and services in the myapp namespace.

Create the Role using the following command:

kubectl apply -f myapp-reader-role.yaml

Create a Role Binding

Create a Role Binding that binds the myapp-reader Role to a user or group in the myapp namespace. For example, to bind the myapp-reader Role to the developer user in the myapp namespace, create the following YAML file called myapp-reader-binding.yaml:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: myapp-reader-binding
  namespace: myapp
subjects:
  - kind: User
    name: developer
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: myapp-reader
  apiGroup: rbac.authorization.k8s.io

This Role Binding binds the myapp-reader Role to the developer user in the myapp namespace.

Create the Role Binding using the following command:

kubectl apply -f myapp-reader-binding.yaml

Test Access

Test access to the myapp namespace by attempting to get the list of pods in the namespace using the following command:

kubectl get pods -n myapp --as developer

You should see a message indicating that no resources in myapp namespace, because you might not have pods in your cluster.When you're done with the lab, use this command and you should see a list of pods in the myapp namespace.

Test access to the default namespace by attempting to get the list of pods in the namespace using the following command:

kubectl get pods --as developer

You should see an error message indicating that you do not have access to the default namespace.

Create a ClusterRole

Create a new ClusterRole called myapp-admin that allows users to create, delete, and update pods and services in all namespaces using the following YAML file called myapp-admin-clusterrole.yaml:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: myapp-admin
rules:
  - apiGroups: [""]
    resources: ["pods", "services"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]

This ClusterRole allows users to perform all operations (get, list, watch, create, update, and delete) on pods and services in all namespaces.

Create the ClusterRole using the following command:

kubectl apply -f myapp-admin-clusterrole.yaml

Create a ClusterRole Binding

Create a ClusterRole Binding that binds the myapp-admin ClusterRole to a user or group in the cluster. For example, to bind the myapp-admin ClusterRole to the cluster-admin user, create the following YAML file called myapp-admin-binding.yaml:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: myapp-admin-binding
subjects:
  - kind: User
    name: cluster-admin
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: myapp-admin
  apiGroup: rbac.authorization.k8s.io

This ClusterRole Binding binds the myapp-admin ClusterRole to the cluster-admin user.

Create the ClusterRole Binding using the following command:

kubectl apply -f myapp-admin-binding.yaml

Test Access

Test access to create a pod in the myapp namespace by creating a pod using the following YAML file called myapp-pod.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: myapp-pod
  namespace: myapp
spec:
  containers:
    - name: myapp-container
      image: nginx
      ports:
        - containerPort: 80

Create the pod using the following command:

kubectl apply -f myapp-pod.yaml --as cluster-admin

You should see a message indicating that the pod was created.

Test access to create a deployment in the myapp namespace by creating a deployment using the following YAML file myapp-deployment.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp-deployment
  namespace: myapp
spec:
  replicas: 1
  selector:
    matchLabels:
      app: myapp-deployment
  template:
    metadata:
      labels:
        app: myapp-deployment
    spec:
      containers:
        - name: nginx
          image: nginx:latest
          ports:
            - containerPort: 80

Create the pod using the following command:

kubectl apply -f myapp-deployment.yaml --as cluster-admin

You should see an error message indicating that you do not have access to create deploymeny in the myapp namespace.

Summary

In this lab, you learned how to use Role-Based Access Control (RBAC) in Kubernetes to control access to resources and operations within the cluster. You created a namespace, a Role, and a Role Binding to control access to resources in a specific namespace. You also created a ClusterRole and a ClusterRole Binding to control access to resources across all namespaces. By the end of this lab, you should have a good understanding of how to use RBAC to control access to resources and operations in a Kubernetes cluster.