Kubernetes User Access Control with ClusterRoleBindings to ClusterRole |
Prerequisite:
1. Kubernetes Cluster up and running
2. Basic understand on RBAC
These system related resources such as pods, nodes, storage etcs will be administrated using ClusterRole and ClusterRoleBindings by assigning to a user.
To list the ClusterRoles in the Kubernetes cluster
kubectl get clusterrole # Get the Count kubectl get clusterrole --no-headers |wc -lTo know about the api-resources that have clusterrole and clusterrolebindings.
k api-resources |grep clusterTo veiew the clusterrolebindings available in this Kubernetes Cluster
kubectl get clusterrolebindings # Get the Count kubectl get clusterrolebindings --no-headers |wc -l
Imperative way
You can have single verb to used to create clusterrole. Here is an example, Create a role which should have access to list the deamonsets.
# Initial check kubectl get ds --as krish kubectl create clusterrole list-ds-role --resource=daemonsets --verb=list kubectl describe clusterrole list-ds-role
Create clusterrolebinding list-ds-rb for user 'krish' to map that clusterrole list-ds which created above.
kubectl create clusterrolebinding list-ds-rb --clusterrole=list-ds-role --user=krishAfter ClusterRoleBinding assigned to krish
kubectl get ds --as krish
Create ClusterRole, ClusterRoleBinding imperative way |
Cleanup for ClusterRoles
kubectl delete clusterrolebinding list-ds-rb kubectl delete clusterrole list-ds
Cleanup ClusterRole and ClusterRoleBindings |
ClusterRole are Kubernetes Cluster wide and they are not part of any namespace. To know about user or groups are associated with cluster-admin role, use ClusterRoleBindings and describe it. Where we can see in the subject section that will reveals you about user/groups.
kubectl describe clusterrolebinding cluster-adminTo inspect the clusterrole 'cluster-admin' privileges describe will show the PolicyRules where what resources can be used? and what you can do? The '*' astriek is to indicate that 'all'. If you want to get all resources access then '*.*' should be given. And same way to indicate all actions such as create, delete, list, watch, get use '*'. A new user mahi joined the Kubernetes Administrtors team. She will be focusing on the nodes in the cluster. Let's create a ClusterRole and ClusterRoleBindings so that she gets access to the nodes .
Initially we will check that she is able to access the nodes or not.
kubectl create clusterrole node-admin --verb=get,list,watch --resource=nodes --dry-run=client -o yaml > node-admin.yaml kubectl apply -f node-admin.yaml kubectl describe clusterrole node-adminLet's bind the node-admin clusterrole to mahi user using clusterrolebinding.
kubectl create clusterrolebinding mahi-rb --clusterrole=node-admin --user=mahi --dry-run=client -o yaml > mahi-rb.yaml kubectl create -f node-admin-rb.yaml kubectl describe clusterrolebindings node-admin-rb # Check michelle have the access to nodes kubectl --as mahi get nodesIf a user responsibilities are growing as they are into the organization for atime being. Here Maheshwari(mahi) user got more responsibilities for maintaining storge that used for Kubernetes cluster. Create the required ClusterRole and ClusterRoleBindings to allow her access Storage. Requirements:
ClusterRole: storage-admin Resource: persistentvolumes Resource: storageclasses ClusterRoleBinding: mahi-storage-admin ClusterRoleBinding Subject: mahi ClusterRoleBinding Role: storage-adminNow you know all the steps how to proceed on the clusterrole, clusterrolebindings
kubectl create clusterrole storage-admin \ --verb=* --resource=persistentvolumes --resource=storageclasses \ --dry-run=client -o yaml > storage-admin.yaml kubectl apply -f storage-admin.yaml kubectl describe clusterrole storage-admin kubectl create clusterrolebinding mahi-storage-admin-rb \ --clusterrole=storage-admin --user=mahi --dry-run=client -o yaml > mahi-storage-admin-rb.yaml kubectl create -f mahi-storage-admin-rb.yaml kubectl describe clusterrolebinding mahi-storage-admin-rb # Validate that authentication given for mahi user to access storage kubectl get pv --as mahi kubectl get sc --as mahiHere the last execution of fetching the storageclasses using 'mahi' is successful.
No comments:
Post a Comment