Scribd Logo
Upload

Welcome to Scribd!

  • 189 views

    Lab20 - Namespace - RBAC

    Uploaded by

    Soujanyana Sanagavarapu
    1. The document discusses role-based access control (RBAC) in Kubernetes. It describes creating namespaces, users, roles, rolebindings, and clusterrolebindings to configure access permissions. 2. The objectives are to create a namespace, user, role and rolebinding, and clusterrolebinding. The user is then given permission to list pods in the namespace. 3. Finally, the user is made a cluster-admin by creating a clusterrolebinding, allowing them to create pods across namespaces. Clean up steps delete the created resources.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Lab20 - Namespace - RBAC

    Uploaded by

    Soujanyana Sanagavarapu
    189 views13 pages
    1. The document discusses role-based access control (RBAC) in Kubernetes. It describes creating namespaces, users, roles, rolebindings, and clusterrolebindings to configure access permissions. 2. The objectives are to create a namespace, user, role and rolebinding, and clusterrolebinding. The user is then given permission to list pods in the namespace. 3. Finally, the user is made a cluster-admin by creating a clusterrolebinding, allowing them to create pods across namespaces. Clean up steps delete the created resources.

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    1. The document discusses role-based access control (RBAC) in Kubernetes. It describes creating namespaces, users, roles, rolebindings, and clusterrolebindings to configure access permissions. 2. The objectives are to create a namespace, user, role and rolebinding, and clusterrolebinding. The user is then given permission to list pods in the namespace. 3. Finally, the user is made a cluster-admin by creating a clusterrolebinding, allowing them to create pods across namespaces. Clean up steps delete the created resources.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    189 views13 pages

    Lab20 - Namespace - RBAC

    Uploaded by

    Soujanyana Sanagavarapu
    1. The document discusses role-based access control (RBAC) in Kubernetes. It describes creating namespaces, users, roles, rolebindings, and clusterrolebindings to configure access permissions. 2. The objectives are to create a namespace, user, role and rolebinding, and clusterrolebinding. The user is then given permission to list pods in the namespace. 3. Finally, the user is made a cluster-admin by creating a clusterrolebinding, allowing them to create pods across namespaces. Clean up steps delete the created resources.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 13

    Lab: Role-based Access Control (RBAC)

    Introduction
    Role-based access control (RBAC) is a method of regulating access to computer or network
    resources based on the roles of individual users within your organization. RBAC authorization
    uses the rbac.authorization.k8s.io API group to drive authorization decisions, allowing you to
    dynamically configure policies through the Kubernetes API.

    In this lab, you will understand and work with the Namespace and RBAC.

    Objectives:
    • Create namespace
    • Create user
    • Create role & rolebinding
    • Create clusterrolebinding
    • Cleanup

    Note: Ensure you have running cluster deployed


    1. Ensure that you have logged-in as root user with password as linux on kube-master node.

    1.1 Let us clone the git repository which contains manifests required for this exercise, by
    executing the below command.

    # git clone https://github.com/EyesOnCloud/k8s-rbac.git


    Output:

    Student Material – Do Not Re-distribute. For any queries contact:


    [email protected] or https://www.linkedin.com/in/naushadpasha/
    1.2 Let us list the default namespaces by running below command.

    # kubectl get namespace


    Output:

    1.3 We can create a Namespace in two ways either by using kubectl create namespace
    command or by using configuration file.
    Create a new namespace with the name kube-core.

    # kubectl create namespace kube-core


    Output:

    1.4 Verify the namespace is actually created.

    # kubectl get namespace

    Output:

    Student Material – Do Not Re-distribute. For any queries contact:


    [email protected] or https://www.linkedin.com/in/naushadpasha/
    1.5 Describe the namespaces that you have just created.

    # kubectl describe namespace kube-core

    Output:

    1.6 Delete the namespace

    # kubectl delete namespace kube-core

    Output:

    1.7 Verify If there are any labels for namespaces.

    # kubectl get namespace --show-labels


    Output:

    Student Material – Do Not Re-distribute. For any queries contact:


    [email protected] or https://www.linkedin.com/in/naushadpasha/
    1.8 Verify the contexts for the current namespaces.

    # kubectl config view

    Output:

    1.9 Let's view the manifest of file used to create new namespaces.

    # cat -n ~/k8s-rbac/namespace-dev.json

    Output:

    Student Material – Do Not Re-distribute. For any queries contact:


    [email protected] or https://www.linkedin.com/in/naushadpasha/
    # cat -n ~/k8s-rbac/namespace-prod.json

    Output:

    1.10 Let us create the development and production namespace


    # kubectl create -f ~/k8s-rbac/namespace-dev.json
    Output:

    # kubectl create -f ~/k8s-rbac/namespace-prod.json


    Output:

    1.11 Let us list all of the namespaces in our cluster.


    # kubectl get namespaces --show-labels

    Output:

    Student Material – Do Not Re-distribute. For any queries contact:


    [email protected] or https://www.linkedin.com/in/naushadpasha/
    1.12 Let us create a user named employee, generate the self-signed certificates:

    # openssl genrsa -out ~/employee.key 2048


    Output:

    # openssl req -new -key ~/employee.key -out ~/employee.csr -


    subj "/CN=employee/O=office"

    # openssl x509 -req -in ~/employee.csr -CA


    /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key
    -CAcreateserial -out ~/employee.crt -days 500

    Output:

    1.13 Let’s add the user’s credentials to our kubeconfig file:

    # kubectl config set-credentials employee --client-


    certificate=/root/employee.crt --client-
    key=/root/employee.key

    Output:

    1.14 Set the context for production namespace.

    # kubectl config set-context production --namespace=production


    --cluster=kubernetes --user=employee

    Output:

    Student Material – Do Not Re-distribute. For any queries contact:


    [email protected] or https://www.linkedin.com/in/naushadpasha/
    1.15 List the available contexts.

    # kubectl config get-contexts

    Output:

    1.16 Switch to the newly created context.

    # kubectl config use-context production

    Output:

    1.17 Verify the current context in use.

    # kubectl config current-context production


    Output:

    1.18 Let us view the config, by executing the below command.

    # kubectl config view


    Output:

    Student Material – Do Not Re-distribute. For any queries contact:


    [email protected] or https://www.linkedin.com/in/naushadpasha/
    1.19 Now, let us test what level of privilege this user has

    # kubectl get pods

    Output:

    Note: Error is because the user has no privileges, let us now create roles and rolebindings which
    allows the user to list the pods in production name space.

    1.20 Switch back to the default namespaces:

    # kubectl config use-context kubernetes-admin@kubernetes

    Output:
    Student Material – Do Not Re-distribute. For any queries contact:
    [email protected] or https://www.linkedin.com/in/naushadpasha/
    1.21 Let us view the manifest of the role, by executing the below command:

    # cat -n ~/k8s-rbac/role-pod-reader.yaml

    Output:

    1.22 Create the role by executing the below command

    # kubectl create -f ~/k8s-rbac/role-pod-reader.yaml

    Output:

    1.23 Let us view the manifest for role binding, by executing the below command:

    # cat -n ~/k8s-rbac/rolebinding-pod-reader.yaml
    Output:

    Student Material – Do Not Re-distribute. For any queries contact:


    [email protected] or https://www.linkedin.com/in/naushadpasha/
    1.24 Let us create the rolebinding by executing the below command.

    # kubectl create -f ~/k8s-rbac/rolebinding-pod-reader.yaml


    Output

    1.25 Let us describe the role pod-reader, by executing the below command
    # kubectl describe role pod-reader --namespace=production

    Output:

    1.26 Let us describe the rolebinding read-pods, by executing the below command
    # kubectl describe rolebinding read-pods --
    namespace=production
    Output:

    1.27 Let us create a pod in the “production” namespace and see if the employee user can list

    # kubectl run --image nginx mypod --namespace=production

    Output:

    Student Material – Do Not Re-distribute. For any queries contact:


    [email protected] or https://www.linkedin.com/in/naushadpasha/
    1.28 Let us list the pods created, by executing the below command.

    # kubectl get pods --user=employee --namespace=production

    Output:

    1.29 Let us now try to create the pod as employee user, by executing the below command.

    # kubectl run --image nginx employeepod --user employee --


    namespace=production

    Output:

    Note: Pod creation failed as the user doesn’t have the privileges, we created the role to only
    list the pods (which the user can). Let’s us make the user as cluster admin.

    In most cases after provisioning our cluster using kops or kubeadm or any other popular tool
    Clusteradmin Role already exists in the cluster. We can use it and create only
    ClusterRoleBinding for our user “employee”.

    1.30 Let us verify the cluster roles, by executing the below command:

    # kubectl get clusterrole

    Output:

    Student Material – Do Not Re-distribute. For any queries contact:


    [email protected] or https://www.linkedin.com/in/naushadpasha/
    Note: The Role “cluster-admin” is already present. Let’s leverage it and create the
    clusterrolebinding

    1.31 Let us view the manifest for clusterrolebinding.

    # cat -n ~/k8s-rbac/clusterrolebinding.yaml

    Output:

    1.32 Create a ClusterRoleBinding for the employee account

    # kubectl create -f ~/k8s-rbac/clusterrolebinding.yaml

    Output:

    1.33 Now, the user employee is cluster-admin, let us now try to create the pod as employee
    user, by executing the below command.

    # kubectl run --image nginx employeepod --user employee --


    namespace=production

    Output:

    Note: User employee was able to create a pod in production namespace. Employee can also
    create the pods in the default namespace as he is cluster-admin.

    Student Material – Do Not Re-distribute. For any queries contact:


    [email protected] or https://www.linkedin.com/in/naushadpasha/
    1.34 Let us create an pod in default namespace as employee user, by executing the below
    command.
    # kubectl run --image nginx employeepod1 --user employee

    Output:

    1.35 Let us clean up by deleting, by executing the below commands

    # kubectl delete -f ~/k8s-rbac/

    Student Material – Do Not Re-distribute. For any queries contact:


    [email protected] or https://www.linkedin.com/in/naushadpasha/

    You might also like