cbron/aggregation.sh

## aggregation.sh
##
# Example of User Facing ClusterRole aggregation
# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
#
# Note: This demo assumes switching back and forth between two terminal windows.
#       It is not a bash script to be run in full.
##

# Set cluster api-server address manually
server=TODO

# Make Service Account
kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-user
EOF

# Make token for SA
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: test-user-secret
  annotations:
    kubernetes.io/service-account.name: test-user
type: kubernetes.io/service-account-token
EOF

namespace=$(kubectl get secret/test-user-secret -o jsonpath='{$.data.namespace}' | base64 --decode)
token=$(kubectl get secrets/test-user-secret -o=jsonpath='{$.data.token}' | base64 --decode)
ca=$(kubectl get secrets/test-user-secret -o=jsonpath='{$.data.ca\.crt}')

echo "apiVersion: v1
kind: Config
clusters:
- name: test-cluster
  cluster:
    server: ${server}
    certificate-authority-data: ${ca}
contexts:
- name: default-context
  context:
    cluster: test-cluster
    namespace: default
    user: test-user
current-context: default-context
users:
- name: test-user
  user:
    token: ${token}
" > service-account-kubeconfig.yaml

# set kubeconfig in terminal 2
export KUBECONFIG=service-account-kubeconfig.yaml
kubectl config use-context default-context

# this returns Forbidden error there
kubectl get pods

# Now add view role binding
kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: test-user-rb
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
- kind: ServiceAccount
  name: test-user
  namespace: default
EOF

# Now this works because we bound the SA to the 'view' ClusterRole
kubectl get pods

# This doesn't work yet
kubectl get secrets

# Now add custom role aggregating to same ClusterRole as we bound to in roleBinding...
kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    rbac.authorization.k8s.io/aggregate-to-view: "true"
  name: view-secrets
rules:
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs: ["get", "watch", "list"]
EOF

# And our (namespaced) rolebinding now inherits that ClusterRole permission through the 'view' ClusterRole
kubectl get secrets
	##
	# Example of User Facing ClusterRole aggregation
	# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
	#
	# Note: This demo assumes switching back and forth between two terminal windows.
	# It is not a bash script to be run in full.
	##

	# Set cluster api-server address manually
	server=TODO

	# Make Service Account
	kubectl apply -f - <<EOF
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: test-user
	EOF

	# Make token for SA
	kubectl apply -f - <<EOF
	apiVersion: v1
	kind: Secret
	metadata:
	name: test-user-secret
	annotations:
	kubernetes.io/service-account.name: test-user
	type: kubernetes.io/service-account-token
	EOF

	namespace=$(kubectl get secret/test-user-secret -o jsonpath='{$.data.namespace}' \| base64 --decode)
	token=$(kubectl get secrets/test-user-secret -o=jsonpath='{$.data.token}' \| base64 --decode)
	ca=$(kubectl get secrets/test-user-secret -o=jsonpath='{$.data.ca\.crt}')

	echo "apiVersion: v1
	kind: Config
	clusters:
	- name: test-cluster
	cluster:
	server: ${server}
	certificate-authority-data: ${ca}
	contexts:
	- name: default-context
	context:
	cluster: test-cluster
	namespace: default
	user: test-user
	current-context: default-context
	users:
	- name: test-user
	user:
	token: ${token}
	" > service-account-kubeconfig.yaml

	# set kubeconfig in terminal 2
	export KUBECONFIG=service-account-kubeconfig.yaml
	kubectl config use-context default-context

	# this returns Forbidden error there
	kubectl get pods

	# Now add view role binding
	kubectl apply -f - <<EOF
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: test-user-rb
	namespace: default
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: view
	subjects:
	- kind: ServiceAccount
	name: test-user
	namespace: default
	EOF

	# Now this works because we bound the SA to the 'view' ClusterRole
	kubectl get pods

	# This doesn't work yet
	kubectl get secrets

	# Now add custom role aggregating to same ClusterRole as we bound to in roleBinding...
	kubectl apply -f - <<EOF
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	labels:
	rbac.authorization.k8s.io/aggregate-to-view: "true"
	name: view-secrets
	rules:
	- apiGroups:
	- ""
	resources:
	- secrets
	verbs: ["get", "watch", "list"]
	EOF

	# And our (namespaced) rolebinding now inherits that ClusterRole permission through the 'view' ClusterRole
	kubectl get secrets