Created
March 20, 2019 17:50
-
-
Save richardsonlima/b51760951b3c1ddf7aa30fa99c21588c to your computer and use it in GitHub Desktop.
KUBERNETES RBAC: RESTRICT USER ACCESS TO ONE NAMESPACE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| KUBERNETES RBAC: RESTRICT USER ACCESS TO ONE NAMESPACE | |
| 1. Create Namespace | |
| kubectl create namespace mynamespace | |
| 2. Create Service Account with permissions | |
| Open a new file. Let’s call it access.yaml. We’re going to create the user (service account), a role, and attach that role to that user. | |
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: mynamespace-user | |
| namespace: mynamespace | |
| --- | |
| kind: Role | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| metadata: | |
| name: mynamespace-user-full-access | |
| namespace: mynamespace | |
| rules: | |
| - apiGroups: ["", "extensions", "apps"] | |
| resources: ["*"] | |
| verbs: ["*"] | |
| - apiGroups: ["batch"] | |
| resources: | |
| - jobs | |
| - cronjobs | |
| verbs: ["*"] | |
| --- | |
| kind: RoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| metadata: | |
| name: mynamespace-user-view | |
| namespace: mynamespace | |
| subjects: | |
| - kind: ServiceAccount | |
| name: mynamespace-user | |
| namespace: mynamespace | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: Role | |
| name: mynamespace-user-full-access | |
| As you can see, in the Role definition, we add full access to everything in that namespace, including batch types like jobs or cronjobs. As it is a Role, and not a ClusterRole, it is going to be applied to a single namespace: mynamespace. For more details about roles in Kubernetes, check out the official documentation. | |
| Now, let’s create all of this: | |
| kubectl create -f access.yaml | |
| You should see the three components being created. | |
| 3. Get Secrets | |
| The first thing we need to do now is to get the name of the service account’s secret. Run the following command and copy the name of the secret. | |
| kubectl describe sa mynamespace-user -n mynamespace | |
| For this tutorial, let’s say that the secret is named mynamespace-user-token-xxxxx. | |
| We now need to get the service account’s Token and the Certificate Authority. For this, we are going to read them using kubectl. Now, as Kubernetes secrets are base64 encoded, we’ll also need to decode them. | |
| Here’s how you get the User Token: | |
| kubectl get secret mynamespace-user-token-xxxxx -n mynamespace -o "jsonpath={.data.token}" | base64 -D | |
| And here’s how you get the Certificate: | |
| kubectl get secret mynamespace-user-token-xxxxx -n mynamespace -o "jsonpath={.data['ca\.crt']}" | |
| 4. Create Kube config | |
| We now have everything we need. The only thing remaining is creating the Kube config file, with the data we previously gathered: | |
| apiVersion: v1 | |
| kind: Config | |
| preferences: {} | |
| # Define the cluster | |
| clusters: | |
| - cluster: | |
| certificate-authority-data: PLACE CERTIFICATE HERE | |
| # You'll need the API endpoint of your Cluster here: | |
| server: https://YOUR_KUBERNETES_API_ENDPOINT | |
| name: my-cluster | |
| # Define the user | |
| users: | |
| - name: mynamespace-user | |
| user: | |
| as-user-extra: {} | |
| client-key-data: PLACE CERTIFICATE HERE | |
| token: PLACE USER TOKEN HERE | |
| # Define the context: linking a user to a cluster | |
| contexts: | |
| - context: | |
| cluster: my-cluster | |
| namespace: mynamespace | |
| user: mynamespace-user | |
| name: mynamespace | |
| # Define current context | |
| current-context: mynamespace | |
| And we’re done! 🎉 | |
| Note: another way to write the Kube config is to use kubectl directly. See kubectl config command reference. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment