A Practical Approach to Understanding Kubernetes Authorization
Let’s start with a quick recap of the environment and the scenario. We are dealing with a cluster running in the production environment where each department is associated with a namespace. We have Bob, the new hire in the DevOps team that we just on-boarded to the cluster as an administrator for the engineering namespace. He has been handed over the key and the signed certificate to access the Kubernetes cluster.
If you haven’t done so already, run the commands from the previous tutorial to complete the environment setup and configuring the credentials for Bob.
It’s time for us to authorize Bob to control the resources belonging to the engineering namespace.
We will first create a context for kubectl which makes it handy to switch between different environments.
|
1 2 3 4 5 |
kubectl config set-context eng-context \ --cluster=minikube \ --namespace=engineering \ --user=bob Context "eng-context" created. |
The above command created a new context pointing to the engineering namespace with Bob’s credentials within the minikube cluster. This results in a new section added to the ~/.kube/config file.
We will now create a simple pod within the engineering namespace:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
apiVersion: v1 kind: Pod metadata: name: myapp namespace: engineering labels: app: myapp spec: containers: - name: myapp image: busybox command: ["/bin/sh", "-ec", "while :; do echo '.'; sleep 5 ; done"] |
|
1 2 |
kubectl create -f myapp.yaml pod/myapp created |
|
1 2 3 |
kubectl get pods -n=engineering NAME READY STATUS RESTARTS AGE myapp 1/1 Running 0 89s |
While you are able to create and manipulate the pods in the engineering namespace as the cluster administrator, Bob may not even be able to list the pods in the same namespace.
|
1 2 |
kubectl get pods --namespace engineering --as bob Error from server (Forbidden): pods is forbidden: User "bob" cannot list resource "pods" in API group "" in the namespace "engineering" |
In order to allow Bob to access the resources in the engineering namespace, we need to authorize him. This is done by creating a role with appropriate permissions and then binding it to user Bob. Essentially, we are using Role Based Access Control (RBAC) to explicitly allow Bob to perform specific actions against certain Kubernetes resources within the engineering namespace.
Create a Kubernetes role called eng-reader that has permissions to list pods in the engineering namespace.
|
1 2 3 4 5 6 7 8 9 |
kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: engineering name: eng-reader rules: - apiGroups: [""] # "" indicates the core API group resources: ["pods", "services", "nodes"] verbs: ["get", "watch", "list"] |
|
1 2 |
kubectl create -f role.yaml role.rbac.authorization.k8s.io/eng-reader created |
|
1 2 3 |
kubectl get roles --namespace=engineering NAME AGE eng-reader 58s |
Notice that the role doesn’t have any reference to Bob. We will apply the permissions specified in the role to Bob by creating a role binding. The below steps will do this for us.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: eng-read-access namespace: engineering subjects: - kind: User name: bob # Name is case sensitive apiGroup: rbac.authorization.k8s.io roleRef: kind: Role #this must be Role or ClusterRole name: eng-reader # this must match the name of the Role or ClusterRole you wish to bind to apiGroup: rbac.authorization.k8s.io |
|
1 2 |
kubectl create -f role-binding.yaml rolebinding.rbac.authorization.k8s.io/eng-read-access created |
|
1 2 3 |
kubectl get rolebindings --namespace=engineering NAME AGE eng-read-access 31s |
Let’s check if Bob is now able to access the pods.
|
1 2 3 |
kubectl get pods --namespace engineering --as bob NAME READY STATUS RESTARTS AGE myapp 1/1 Running 0 11m |
Since he is now associated with the eng-reader role, he gained the pod list permission.
At this point, Bob has pretty limited access within the cluster. All he can do is to list pods within the engineering namespace. This in itself is not very useful for Bob. He curiously checks the number of nodes in the cluster, and to his disappointment, he is greeted with a forbidden error.
|
1 2 |
kubectl get nodes --as bob Error from server (Forbidden): nodes is forbidden: User "bob" cannot list resource "nodes" in API group "" at the cluster scope |
Roles and role bindings in Kubernetes can be applied either at the namespace level or at the cluster level. We can now create a cluster role and an associated binding for Bob to enable him to list the nodes.
|
1 2 3 4 5 6 7 8 9 |
kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: # "namespace" omitted since ClusterRoles are not namespaced name: cluster-node-reader rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get", "watch", "list"] |
|
1 2 |
kubectl create -f cluster-role.yaml clusterrole.rbac.authorization.k8s.io/cluster-node-reader created |
|
1 2 3 |
kubectl get clusterroles cluster-node-reader NAME AGE cluster-node-reader 49s |
|
1 2 3 4 5 6 7 8 9 10 11 12 |
kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-cluster-nodes subjects: - kind: User name: bob # Name is case sensitive apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: cluster-node-reader apiGroup: rbac.authorization.k8s.io |
|
1 2 |
kubectl create -f cluster-role-binding.yaml clusterrolebinding.rbac.authorization.k8s.io/read-cluster-nodes created |
|
1 2 3 |
kubectl get clusterrolebindings read-cluster-nodes NAME AGE read-cluster-nodes 35s |
Now, Bob is all set to list the nodes within the cluster.
|
1 2 3 |
kubectl get nodes --as bob NAME STATUS ROLES AGE VERSION minikube Ready master 52m v1.15.2 |
The objective of this walkthrough was to help you understand how roles and role bindings work in Kubernetes. In the last and final part of this series, we will explore service accounts. Stay tuned.
Janakiram MSV’s Webinar series, “Machine Intelligence and Modern Infrastructure (MI2)” offers informative and insightful sessions covering cutting-edge technologies. Sign up for the upcoming MI2 webinar at http://mi2.live.