TNS
VOXPOP
Will JavaScript type annotations kill TypeScript?
The creators of Svelte and Turbo 8 both dropped TS recently saying that "it's not worth it".
Yes: If JavaScript gets type annotations then there's no reason for TypeScript to exist.
0%
No: TypeScript remains the best language for structuring large enterprise applications.
0%
TBD: The existing user base and its corpensource owner means that TypeScript isn’t likely to reach EOL without a putting up a fight.
0%
I hope they both die. I mean, if you really need strong types in the browser then you could leverage WASM and use a real programming language.
0%
I don’t know and I don’t care.
0%
Kubernetes / Security

A Practical Approach to Understanding Kubernetes Authorization

A hands-on view of how authorization works in Kubernetes.
Aug 14th, 2019 3:00am by
Featued image for: A Practical Approach to Understanding Kubernetes Authorization
Feature Photo by Alice Donovan Rouse on Unsplash.
This article is a part of the Kubernetes security series that started a few weeks ago. The first article covered the overview and background of Kubernetes access control while the second part introduced the core concepts of authentication. In this installment, we will understand the concepts of authorization through a hands-on approach.

Let’s start with a quick recap of the environment and the scenario. We are dealing with a cluster running in the production environment where each department is associated with a namespace. We have Bob, the new hire in the DevOps team that we just on-boarded to the cluster as an administrator for the engineering namespace. He has been handed over the key and the signed certificate to access the Kubernetes cluster.

If you haven’t done so already, run the commands from the previous tutorial to complete the environment setup and configuring the credentials for Bob.

It’s time for us to authorize Bob to control the resources belonging to the engineering namespace.

We will first create a context for kubectl which makes it handy to switch between different environments.


The above command created a new context pointing to the engineering namespace with Bob’s credentials within the minikube cluster. This results in a new section added to the ~/.kube/config file.

We will now create a simple pod within the engineering namespace:




While you are able to create and manipulate the pods in the engineering namespace as the cluster administrator, Bob may not even be able to list the pods in the same namespace.


In order to allow Bob to access the resources in the engineering namespace, we need to authorize him. This is done by creating a role with appropriate permissions and then binding it to user Bob. Essentially, we are using Role Based Access Control (RBAC) to explicitly allow Bob to perform specific actions against certain Kubernetes resources within the engineering namespace.

Create a Kubernetes role called eng-reader that has permissions to list pods in the engineering namespace.




Notice that the role doesn’t have any reference to Bob. We will apply the permissions specified in the role to Bob by creating a role binding. The below steps will do this for us.




Let’s check if Bob is now able to access the pods.


Since he is now associated with the eng-reader role, he gained the pod list permission.

At this point, Bob has pretty limited access within the cluster. All he can do is to list pods within the engineering namespace. This in itself is not very useful for Bob. He curiously checks the number of nodes in the cluster, and to his disappointment, he is greeted with a forbidden error.


Roles and role bindings in Kubernetes can be applied either at the namespace level or at the cluster level. We can now create a cluster role and an associated binding for Bob to enable him to list the nodes.







Now, Bob is all set to list the nodes within the cluster.


The objective of this walkthrough was to help you understand how roles and role bindings work in Kubernetes. In the last and final part of this series, we will explore service accounts. Stay tuned.

Janakiram MSV’s Webinar series, “Machine Intelligence and Modern Infrastructure (MI2)” offers informative and insightful sessions covering cutting-edge technologies. Sign up for the upcoming MI2 webinar at http://mi2.live.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.