Created
July 23, 2020 16:37
-
-
Save cbron/2a1a6e6a995c49de3c2404048df2d02c to your computer and use it in GitHub Desktop.
Example of User Facing ClusterRole aggregation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## | |
# Example of User Facing ClusterRole aggregation | |
# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles | |
# | |
# Note: This demo assumes switching back and forth between two terminal windows. | |
# It is not a bash script to be run in full. | |
## | |
# Set cluster api-server address manually | |
server=TODO | |
# Make Service Account | |
kubectl apply -f - <<EOF | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: test-user | |
EOF | |
# Make token for SA | |
kubectl apply -f - <<EOF | |
apiVersion: v1 | |
kind: Secret | |
metadata: | |
name: test-user-secret | |
annotations: | |
kubernetes.io/service-account.name: test-user | |
type: kubernetes.io/service-account-token | |
EOF | |
namespace=$(kubectl get secret/test-user-secret -o jsonpath='{$.data.namespace}' | base64 --decode) | |
token=$(kubectl get secrets/test-user-secret -o=jsonpath='{$.data.token}' | base64 --decode) | |
ca=$(kubectl get secrets/test-user-secret -o=jsonpath='{$.data.ca\.crt}') | |
echo "apiVersion: v1 | |
kind: Config | |
clusters: | |
- name: test-cluster | |
cluster: | |
server: ${server} | |
certificate-authority-data: ${ca} | |
contexts: | |
- name: default-context | |
context: | |
cluster: test-cluster | |
namespace: default | |
user: test-user | |
current-context: default-context | |
users: | |
- name: test-user | |
user: | |
token: ${token} | |
" > service-account-kubeconfig.yaml | |
# set kubeconfig in terminal 2 | |
export KUBECONFIG=service-account-kubeconfig.yaml | |
kubectl config use-context default-context | |
# this returns Forbidden error there | |
kubectl get pods | |
# Now add view role binding | |
kubectl apply -f - <<EOF | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
name: test-user-rb | |
namespace: default | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: view | |
subjects: | |
- kind: ServiceAccount | |
name: test-user | |
namespace: default | |
EOF | |
# Now this works because we bound the SA to the 'view' ClusterRole | |
kubectl get pods | |
# This doesn't work yet | |
kubectl get secrets | |
# Now add custom role aggregating to same ClusterRole as we bound to in roleBinding... | |
kubectl apply -f - <<EOF | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
labels: | |
rbac.authorization.k8s.io/aggregate-to-view: "true" | |
name: view-secrets | |
rules: | |
- apiGroups: | |
- "" | |
resources: | |
- secrets | |
verbs: ["get", "watch", "list"] | |
EOF | |
# And our (namespaced) rolebinding now inherits that ClusterRole permission through the 'view' ClusterRole | |
kubectl get secrets |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment