Member-only story
RBAC — Kubernetes
Role-Based Access Control
Role-based access control (RBAC) is an access control method used to restrict access to certain resources in a computer system or network to only authorized users.
It is based on the roles that users have within an organization and the permissions that are associated with those roles.
Kubernetes RBAC API Objects
The RBAC API declares four kinds of Kubernetes objects.
- Role
- ClusterRole
- RoleBinding
- ClusterRoleBinding
RBAC Kubernetes ← Theory
A namespace is a group of related elements that each have a unique name or identifier.
Namespaces provide a method for preventing name conflicts in large projects.
kubectl create ns test
kubectl get ns 
Service accounts are used to provide an identity for pods. Pods that want to interact with the API server will authenticate with a particular service account.
Create a serviceaccount.yml file
apiVersion: v1
kind: ServiceAccount
metadata:
name: foo
namespace: testApply the file
kubectl apply -f serviceaccount.ymlThe Service account created a namespace called foo.
Permission asset assigned to the service account → Just created Service account only does not have permission.
How to check permission give
kubectl auth can-i --as system:serviceaccount:test:foo get pods -n testNo → Does not have rules associated. So created a role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: test
name: testadmin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]Created a role.yml
kubectl apply -f role.yml Again try the cmd
kubectl auth can-i --as system:serviceaccount:test:foo get pods -n testStill shows the same pop-up
Just created a rule but did not bind it with the service account
