-
Notifications
You must be signed in to change notification settings - Fork 516
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
dfecd75
commit 3879d98
Showing
1 changed file
with
173 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,173 @@ | ||
| # Kubernetes RBAC Setup | ||
|
|
||
| This guide provides instructions for creating roles, cluster roles, role bindings, and cluster role bindings in a Kubernetes cluster. RBAC (Role-Based Access Control) allows you to control access to resources within the cluster based on user roles and permissions. | ||
|
|
||
| ## Role | ||
| The role.yaml file contains the configuration for creating a role named pod-reader. The role allows the user to perform actions like get, watch, and list on pods resources. | ||
|
|
||
| ``` | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: Role | ||
| metadata: | ||
| namespace: default | ||
| name: pod-reader | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["pods"] | ||
| verbs: ["get", "watch", "list"] | ||
| ``` | ||
|
|
||
| ### To apply this role: | ||
|
|
||
| ``` | ||
| kubectl apply -f role.yaml | ||
| ``` | ||
|
|
||
| ### To check the created role: | ||
| ``` | ||
| kubectl get role | ||
| ``` | ||
|
|
||
| ## Role Binding | ||
| The rolebinding.yaml file defines a role binding named read-pods that binds the pod-reader role to the user jack in the default namespace. | ||
|
|
||
| ``` | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: RoleBinding | ||
| metadata: | ||
| name: read-pods | ||
| namespace: default | ||
| subjects: | ||
| - kind: User | ||
| name: jack | ||
| apiGroup: rbac.authorization.k8s.io | ||
| roleRef: | ||
| kind: Role | ||
| name: pod-reader | ||
| apiGroup: rbac.authorization.k8s.io | ||
| ``` | ||
|
|
||
| ### To apply this role binding: | ||
|
|
||
| ``` | ||
| kubectl apply -f rolebinding.yaml | ||
| ``` | ||
|
|
||
| ### To check the created role binding: | ||
|
|
||
| ``` | ||
| kubectl get rolebinding | ||
| ``` | ||
|
|
||
| ### To check the permissions of the jack user: | ||
|
|
||
| ``` | ||
| kubectl auth can-i get pod --as jack | ||
| ``` | ||
|
|
||
| ## Cluster Role | ||
| The clusterrole.yaml file contains the configuration for creating a cluster role named secret-reader. This cluster role allows the user to perform actions like get, watch, and list on secrets resources. | ||
|
|
||
| ``` | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRole | ||
| metadata: | ||
| name: secret-reader | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["secrets"] | ||
| verbs: ["get", "watch", "list"] | ||
| ``` | ||
|
|
||
| ### To apply this cluster role: | ||
|
|
||
| ``` | ||
| kubectl apply -f clusterrole.yaml | ||
| ``` | ||
|
|
||
| ### To check the created cluster role: | ||
|
|
||
| ``` | ||
| kubectl get clusterrole | ||
| ``` | ||
|
|
||
| ## Role Binding (Namespace-level) | ||
| The rolebinding.yaml file defines a role binding named read-secrets that binds the secret-reader cluster role to the user dev in the development namespace. | ||
|
|
||
| ``` | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: RoleBinding | ||
| metadata: | ||
| name: read-secrets | ||
| namespace: development | ||
| subjects: | ||
| - kind: User | ||
| name: dev | ||
| apiGroup: rbac.authorization.k8s.io | ||
| roleRef: | ||
| kind: ClusterRole | ||
| name: secret-reader | ||
| apiGroup: rbac.authorization.k8s.io | ||
| ``` | ||
|
|
||
| ### To apply this role binding: | ||
|
|
||
| ``` | ||
| kubectl apply -f rolebinding.yaml | ||
| ``` | ||
|
|
||
| ### To check the created role binding: | ||
|
|
||
| ``` | ||
| kubectl get rolebinding | ||
| ``` | ||
|
|
||
| ### To check the permissions of the dev user in the development namespace: | ||
|
|
||
| ``` | ||
| kubectl auth can-i get secret --as dev -n development | ||
| ``` | ||
|
|
||
| ## Cluster Role Binding | ||
| The clusterrolebinding.yaml file contains the configuration for creating a cluster role binding named read-secrets-global. This cluster role binding binds the secret-reader cluster role to the user riya globally. | ||
|
|
||
| ``` | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRoleBinding | ||
| metadata: | ||
| name: read-secrets-global | ||
| subjects: | ||
| - kind: User | ||
| name: riya | ||
| apiGroup: rbac.authorization.k8s.io | ||
| roleRef: | ||
| kind: ClusterRole | ||
| name: secret-reader | ||
| apiGroup: rbac.authorization.k8s.io | ||
| ``` | ||
|
|
||
| ### To apply this cluster role binding: | ||
|
|
||
| ``` | ||
| kubectl apply -f clusterrolebinding.yaml | ||
| ``` | ||
|
|
||
| ### To check the created cluster role binding: | ||
|
|
||
| ``` | ||
| kubectl get clusterrolebinding | ||
| ``` | ||
|
|
||
| ### To check the permissions of the riya user across all namespaces: | ||
|
|
||
| ``` | ||
| kubectl auth can-i get secret --as riya -A | ||
| ``` | ||
|
|
||
| ## Conclusion | ||
| In this guide, we have learned how to implement RBAC (Role-Based Access Control) in a Kubernetes cluster by creating roles, cluster roles, role bindings, and cluster role bindings. By applying the provided YAML files and using the kubectl commands, you can easily set up and manage access control and permissions for users within your Kubernetes environment. |