Kubernetes / Security

A Practical Approach to Understanding Kubernetes Authorization

14 Aug 2019 3:00am, by

This article is a part of the Kubernetes security series that started a few weeks ago. The first article covered the overview and background of Kubernetes access control while the second part introduced the core concepts of authentication. In this installment, we will understand the concepts of authorization through a hands-on approach.

Let’s start with a quick recap of the environment and the scenario. We are dealing with a cluster running in the production environment where each department is associated with a namespace. We have Bob, the new hire in the DevOps team that we just on-boarded to the cluster as an administrator for the engineering namespace. He has been handed over the key and the signed certificate to access the Kubernetes cluster.

If you haven’t done so already, run the commands from the previous tutorial to complete the environment setup and configuring the credentials for Bob.

It’s time for us to authorize Bob to control the resources belonging to the engineering namespace.

We will first create a context for kubectl which makes it handy to switch between different environments.

The above command created a new context pointing to the engineering namespace with Bob’s credentials within the minikube cluster. This results in a new section added to the ~/.kube/config file.

We will now create a simple pod within the engineering namespace:

While you are able to create and manipulate the pods in the engineering namespace as the cluster administrator, Bob may not even be able to list the pods in the same namespace.

In order to allow Bob to access the resources in the engineering namespace, we need to authorize him. This is done by creating a role with appropriate permissions and then binding it to user Bob. Essentially, we are using Role Based Access Control (RBAC) to explicitly allow Bob to perform specific actions against certain Kubernetes resources within the engineering namespace.

Create a Kubernetes role called eng-reader that has permissions to list pods in the engineering namespace.

Notice that the role doesn’t have any reference to Bob. We will apply the permissions specified in the role to Bob by creating a role binding. The below steps will do this for us.

Let’s check if Bob is now able to access the pods.

Since he is now associated with the eng-reader role, he gained the pod list permission.

At this point, Bob has pretty limited access within the cluster. All he can do is to list pods within the engineering namespace. This in itself is not very useful for Bob. He curiously checks the number of nodes in the cluster, and to his disappointment, he is greeted with a forbidden error.

Roles and role bindings in Kubernetes can be applied either at the namespace level or at the cluster level. We can now create a cluster role and an associated binding for Bob to enable him to list the nodes.

Now, Bob is all set to list the nodes within the cluster.

The objective of this walkthrough was to help you understand how roles and role bindings work in Kubernetes. In the last and final part of this series, we will explore service accounts. Stay tuned.

Janakiram MSV’s Webinar series, “Machine Intelligence and Modern Infrastructure (MI2)” offers informative and insightful sessions covering cutting-edge technologies. Sign up for the upcoming MI2 webinar at http://mi2.live.

Feature Photo by Alice Donovan Rouse on Unsplash.

A newsletter digest of the week’s most important stories & analyses.

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.