In this lesson, we’ll dive into Kubernetes Role-Based Access Control (RBAC) to manage permissions for users and services. We’ll cover:
- Inspecting API server authorization modes
- Counting existing Roles
- Examining the built-in
kube-proxy Role
- Reviewing RoleBindings for
kube-proxy
- Verifying
dev-user permissions
- Granting Pod permissions to
dev-user
- Fixing Pod permissions in the
blue namespace
- Granting Deployment permissions in the
blue namespace
1. Inspect API Server Authorization Modes
To confirm that RBAC is enabled, inspect the API server manifest:
kubectl -n kube-system get pod kube-apiserver -o yaml
--authorization-mode flag:
- --authorization-mode=Node,RBAC
ps aux | grep kube-apiserver
... --authorization-mode=Node,RBAC ...
RBAC must be enabled on your API server for Roles and RoleBindings to function correctly.
2. Count Existing Roles
List Roles in the default namespace:
kubectl get roles -n default
No resources found in default namespace.
kubectl get roles --all-namespaces --no-headers | wc -l
| Namespace | Role Count |
|---|
| default | 0 |
| all | 12 |
3. Examine the kube-proxy Role
View the kube-proxy Role in kube-system:
kubectl describe role kube-proxy -n kube-system
| Resource | Non-Resource URLs | Resource Names | Verbs |
|---|
| configmaps | [] | [kube-proxy] | [get] |
- True: It can get the ConfigMap named
kube-proxy.
- False: It cannot delete or update the ConfigMap.
- False: It cannot list or watch ConfigMaps.
4. Identify the Subject of the kube-proxy RoleBinding
List RoleBindings in kube-system:
kubectl get rolebindings -n kube-system
NAME ROLE
kube-proxy Role/kube-proxy
kube-proxy RoleBinding:
kubectl describe rolebinding kube-proxy -n kube-system
| Kind | Name |
|---|
| Group | system bootstrappers kube command default node token |
5. Verify dev-user Permissions
After adding dev-user to your kubeconfig:
Attempt to list Pods in default:
kubectl get pods --as dev-user
Error from server (Forbidden): pods is forbidden: User "dev-user" cannot list resource "pods" in API group "" in the namespace "default"
dev-user currently has no permissions in default. You must create Roles and RoleBindings to grant access.
6. Grant Pod Permissions to dev-user
6.1 Create the developer Role
kubectl create role developer \
--verb=list,create,delete \
--resource=pods \
-n default
kubectl describe role developer -n default
6.2 Bind dev-user to the Role
kubectl create rolebinding dev-user-binding \
--role=developer \
--user=dev-user \
-n default
kubectl describe rolebinding dev-user-binding -n default
dev-user can list Pods:
kubectl get pods --as dev-user -n default
7. Fix Permissions for a Pod in the blue Namespace
-
Inspect existing Roles and RoleBindings:
kubectl get roles,rolebindings -n blue
-
Describe the
developer Role:
kubectl describe role developer -n blue
-
Edit the Role to match the actual Pod name:
kubectl edit role developer -n blue
rules:
- apiGroups: ['']
resources:
- pods
resourceNames:
- dark-blue-app
verbs:
- get
- watch
- create
- delete
-
Verify access:
kubectl get pod dark-blue-app -n blue --as dev-user
8. Grant Deployment Permissions in the blue Namespace
-
Edit the
developer Role again:
kubectl edit role developer -n blue
-
Add a rule for
deployments in the apps API group:
rules:
- apiGroups: ['']
resources:
- pods
resourceNames:
- dark-blue-app
verbs:
- get
- watch
- create
- delete
- apiGroups: ['apps']
resources:
- deployments
verbs:
- get
- watch
- create
- delete
-
Verify:
kubectl describe role developer -n blue
-
Create a Deployment as
dev-user:
kubectl create deployment nginx \
--image=nginx \
-n blue \
--as dev-user
Links and References
