Role Based Access Control in Kubernetes
Kubernetes uses Role Based Access control for the internal access to a Kubernetes cluster.
To access a Kubernetes cluster, we need to create Role, RoleBinding, ClusterRole, and ClusterRoleBinding based on our requirements.
To do this first, we need to consider the below table-
Kubernetes Namespace provides a mechanism to isolate a group of resources in a Kubernetes cluster.
We can create a Role using one or more rules to grant access to the Kubernetes resources/API objects within a particular Kubernetes namespace. So, it is scoped to a particular namespace.
Also, we can create a ClusterRole using one or more rules to grant access to the Kubernetes resources/API objects across the Kubernetes cluster. So, it is not scoped to a particular namespace.
After creating them, we can create RoleBinding to bind the Role with the subject within a namespace. Also, we can create ClusterRoleBinding to bind the ClusterRole with the subject.
We can even use RoleBinding with ClusterRole to provide access to more than one namespace.
We can create Role, RoleBinding, ClusterRole & ClusterRoleBinding by using-
1.????? Kubernetes commands (imperative way)
2.????? yaml (declarative way)
3.????? Terraform
Examples-
Role-
kubectl create role ROLE_NAME --verb=ONE_OR_MORE_VERBS --resource=RESOURCE_NAMES --namespace NAMESPACE_NAME
2.????? Replace ROLE_NAME, ONE_OR_MORE_VERBS (comma separated, each within double quotes), API_GROUP_NAME (comma separated, each within double quotes), RESOURCE_NAMES (comma separated, each within double quotes) and NAMESPACE_NAME accordingly.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ROLE_NAME
namespace: NAMESPACE_NAME
rules:
- apiGroups: [ API_GROUP_NAME ]
resources: [ RESOURCE_NAMES ]
verbs: [ ONE_OR_MORE_VERBS ]
- apiGroups: [ API_GROUP_NAME ]
resources: [ RESOURCE_NAMES ]
verbs: [ ONE_OR_MORE_VERBS ]
3. Replace TF_LOCAL_ROLE_NAME, ROLE_NAME, TF_LOCAL_NAMESPACE_NAME (Terraform reference to the namespace resource block), API_GROUP_NAME (comma separated, each within double quotes), RESOURCE_NAMES (comma separated, each within double quotes) and ONE_OR_MORE_VERBS (comma separated, each within double quotes) accordingly.
resource "kubernetes_role_v1" "TF_LOCAL_ROLE_NAME" {
metadata {
name = "ROLE_NAME"
namespace = kubernetes_namespace_v1.TF_LOCAL_NAMESPACE_NAME.metadata[0].name
}
rule {
api_groups = [ API_GROUP_NAME ]
resources = [ RESOURCE_NAMES ]
verbs = [ ONE_OR_MORE_VERBS ]
}
rule {
api_groups = [ API_GROUP_NAME ]
resources = [ RESOURCE_NAMES ]
verbs = [ ONE_OR_MORE_VERBS ]
}
}
RoleBinding
1.????? Replace ROLE_BINDING_NAME, ROLE_NAME, USER_NAME and NAMESPACE_NAME accordingly.
领英推荐
kubectl create rolebinding ROLE_BINDING_NAME --role=ROLE_NAME --user=USER_NAME --namespace NAMESPACE_NAME
2.????? Replace ROLE_BINDING_NAME, NAMESPACE_NAME, ROLE_NAME, USER_NAME, GROUP_NAME and SERVICE_ACCOUNT_NAME accordingly.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ROLE_BINDING_NAME
namespace: NAMESPACE_NAME
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ROLE_NAME
subjects:
- kind: User
name: USER_NAME
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: GROUP_NAME
apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
name: SERVICE_ACCOUNT_NAME
namespace: NAMESPACE_NAME (of the Service Account)
3.????? Replace TF_LOCAL_ROLEBINDING_NAME, ROLE_BINDING_NAME, TF_LOCAL_NAMESPACE_NAME (Terraform reference to the namespace resource block), TF_LOCAL_ROLE_NAME (Terraform reference to the role resource block), USER_NAME, GROUP_NAME and SERVICE_ACCOUNT_NAME accordingly.
resource "kubernetes_role_binding_v1" "TF_LOCAL_ROLEBINDING_NAME" {
metadata {
name = "ROLE_BINDING_NAME"
namespace = kubernetes_namespace_v1.TF_LOCAL_NAMESPACE_NAME.metadata[0].name
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "Role"
name = kubernetes_role_v1.TF_LOCAL_ROLE_NAME.metadata.0.name
}
subject {
kind = "User"
name = "USER_NAME"
api_group = "rbac.authorization.k8s.io"
}
subject {
kind = "Group"
name = " GROUP_NAME"
api_group = "rbac.authorization.k8s.io"
}
subject {
kind = "ServiceAccount"
name = "SERVICE_ACCOUNT_NAME"
namespace = "NAMESPACE_NAME" (of the Service Account)
}
}?
ClusterRole
1.????? Replace CLUSTER_ROLE_NAME, ONE_OR_MORE_VERBS (comma separated), RESOURCE_NAMES (comma separated) and NAMESPACE_NAME accordingly.
kubectl create clusterrole CLUSTER_ROLE_NAME --verb=ONE_OR_MORE_VERBS --resource=RESOURCE_NAMES
2.????? Replace CLUSTER_ROLE_NAME, API_GROUP_NAME (comma separated, each within double quotes), RESOURCE_NAMES (comma separated, each within double quotes) and ONE_OR_MORE_VERBS (comma separated, each within double quotes) accordingly.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: CLUSTER_ROLE_NAME
rules:
- apiGroups: [ API_GROUP_NAME ]
resources: [ RESOURCE_NAMES ]
verbs: [ ONE_OR_MORE_VERBS ]?
3.????? Replace TF_LOCAL_CLUSTERROLE_NAME, CLUSTER_ROLE_NAME, API_GROUP_NAME (comma separated, each within double quotes), RESOURCE_NAMES (comma separated, each within double quotes) and ONE_OR_MORE_VERBS (comma separated, each within double quotes) accordingly.
resource "kubernetes_cluster_role_v1" "TF_LOCAL_CLUSTERROLE_NAME" {
metadata {
name = "CLUSTER_ROLE_NAME"
}
rule {
api_groups = [ API_GROUP_NAME ]
resources = [ RESOURCE_NAMES ]
verbs = [ ONE_OR_MORE_VERBS ]
}
rule {
api_groups = [ API_GROUP_NAME ]
resources = [ RESOURCE_NAMES ]
verbs = [ ONE_OR_MORE_VERBS ]
}
}?
ClusterRoleBinding
1.????? Replace CLUSTERROLE_BINDING_NAME, CLUSTER_ROLE_NAME and USER_NAME accordingly.
kubectl create clusterrolebinding CLUSTERROLE_BINDING_NAME --clusterrole=CLUSTER_ROLE_NAME --user=USER_NAME
2.????? Replace CLUSTERROLE_BINDING_NAME, CLUSTER_ROLE_NAME, USER_NAME, GROUP_NAME and SERVICE_ACCOUNT_NAME accordingly.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: CLUSTERROLE_BINDING_NAME
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: CLUSTER_ROLE_NAME
subjects:
- kind: User
name: USER_NAME
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: GROUP_NAME
apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
name: SERVICE_ACCOUNT_NAME
namespace: NAMESPACE_NAME (of the Service Account)?
3.????? Replace TF_LOCAL_CLUSTERROLEBINDING_NAME, CLUSTERROLE_BINDING_NAME, TF_LOCAL_CLUSTERROLE_NAME (Terraform reference to the cluster role resource block), USER_NAME, GROUP_NAME and SERVICE_ACCOUNT_NAME accordingly.
resource "kubernetes_cluster_role_binding_v1" "TF_LOCAL_CLUSTERROLEBINDING_NAME" {
metadata {
name = "CLUSTERROLE_BINDING_NAME"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = kubernetes_cluster_role_v1.TF_LOCAL_CLUSTERROLE_NAME.metadata.0.name
}
subject {
kind = "User"
name = "USER_NAME"
api_group = "rbac.authorization.k8s.io"
}
subject {
kind = "Group"
name = " GROUP_NAME"
api_group = "rbac.authorization.k8s.io"
}
subject {
kind = "ServiceAccount"
name = " SERVICE_ACCOUNT_NAME"
namespace = "NAMESPACE_NAME" (of the Service Account)
}
}
Thanks
Please click here to get my other articles.
Thanks for reading the article. Could you read my other articles on LinkedIn too? And a humble request. I'm looking for a new job and would appreciate your support. I have 5.5+ years of experience in the following skills- AWS, Azure, Azure DevOps, Terraform, Kubernetes etc. I am currently serving as a DevOps Engineer at Accenture.