RBAC in Kubernetes

rbac in kubernetes

RBAC, is a security feature in Kubernetes that provides fine-grained control over access to resources within a Kubernetes cluster. It allows you to define roles, role bindings to manage user and service account permissions, enabling secure access to Kubernetes resources based on user roles and responsibilities.

No RBAC

Typically for your local clusters created by either kind or minikube you ended up with admin context. Moreover, some guys call it God mode which allows you to perform anything on the cluster.

In production-ready clusters admin access is restricted to few admins because with great power comes great responsibility.

Role

Everything starts with defining the role

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: log-reader
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list"]

This Role, named "log-reader," grants permissions to users or service accounts within the "default" namespace to get information about pods and read logs from pods using the "get" and "list" verbs. It does not allow other actions such as creating, updating, or deleting pods.

Role Binding

Defined role we have to connect somehow with user. To do that RoleBinding is required.

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: log-reader-binding
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: log-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user1

This RoleBinding, named "log-reader-binding," links the user "user1" with the "log-reader" Role within the "default" namespace. As a result, "user1" will inherit the permissions granted by the "log-reader" Role, which includes the ability to get information about pods and read logs from pods in the "default" namespace. Other actions beyond those defined in the "log-reader" Role will not be permitted for "user1" in this namespace.

But where can I defined the user?

Certificate

To be honest there is no such resource like user in kubernetes ecosystem. However, TLS certificate are being used to connect to cluster and such certificate can have details which links it to the username. And now is a time to do that.

Firstly, the key need to be generated.

openssl genrsa -out user1.key 2048

Next create CSR with information about user.

openssl req -new -key user1.key -out user1.csr -subj "/CN=user1/O=devs"

Sign CSR using CA of the kubernetes cluster. How to get it? This is a stuff for another post

openssl x509 -req -in user1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out user1.crt -days 180

Context

Context, these few fields in ~/.kube/config is the last thing to created before checking the access role

kubectl config set-credentials user1 --client-certificate=user1.crt  --client-key=user1.key
kubectl config set-context <NAME_OF_CONTEXT> --cluster=kind-kind --namespace=default --user=user1

Usage

In order to test the role permission, new context needs to be assign. I prefer kubectx to that kind of stuff.

kubectx  <NAME_OF_CONTEXT>
kubecrl logs <POD_NAME>

And time for a homework: What do you get running below command?

kubectl get deploy

Summary

RBAC provides fine-grained control over access to resources within a Kubernetes cluster. It allows you to define roles, role bindings to manage user and service account permissions, enabling secure access to Kubernetes resources.

Leave a Reply

Your email address will not be published. Required fields are marked *