My Understanding about RBAC in Kubernetes
RBAC stands for Role based access control in our Kubernetes system we have users that needs to access the kubernetes cluster and it's resources. Here role is that categorize their needs. Let's say our project have developers, admins, presale users. We could define role named as "readers" that allows all users, because its common need to all user to read from the system. We could define a role called "writers" and allow certainer users like "developers" who contribute many things to develop in application end, "Admin" user can have this to control it. We could also define a role called "administrators" to admins users. Administrator role users can have full rights such as delete from the system.
Role can be used to define "what can be done?"
Role will be given to users, application software. If we need to deal with software then we need to use service account. Service accounts manages to having access control for services that runs softwares. Users can be created to have user access controls.
RoleBindings - who can do it?
In Kubernetes we have RoleBindings as an object. It allows us to users or groups to use roles by mapping that can be defined with role-bindings. RoleBinding is simple concept, role, rolebindings lives at namespace level. For example an ecommerce applicaiton, developers lives in shopping-cart namespace and presale namespace where all the presale systems live and presle team members will be using it. Administrator roles is design to to provide the entire kubernetes cluster level access permissions. That means all namespaces will be accessable to the admin role users.
If you have 100 developers working for a project of micro-service based application, you cannot create 100 users and giving the access to each one. here it comes the solution with RBAC where you Kubernetes admin need to create Role and RoleBinding at once and that can be used to 100 users if more developers added still it works without any new ocnfigurations.
Roles will lives in namespace constrained, ClusterRole will lives in cluster-wide kubernetes resources.
let's see how it works with different users under roles with rolebindings.
To check authorization-mode for kube-apiserver-controlplane in the kube-syste namespace.
kubectl get po kube-apiserver-controlplane \
-n kube-system -o yaml |grep authoriz
How to get the roles present in a namespace?
Let's say here we have created ecom as namespace and application will be ecom-app.
apiVersion: v1
kind: List
metadata:
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer
namespace: ecom
rules:
- apiGroups:
resourceNames:
- ecom-app
resources:
- pods
verbs:
- get
- watch
- create
- delete
Role can be changed as per the project requirements that means initially a role may only have access to work with pods later we can add one more resource such as 'deployments'. You could also work on authorization permissions for a user role where you need to create new set of rule for 'deployments' and apiGroups can be defined with "apps" so that we could get access to the users who have this role.
No comments:
Post a Comment