Tutorial Highlights & Transcript
00:00 - Kubernetes Role-Based Access Control
01:12 - K8s RBAC Objects
Now, after creating these roles, we need to bind these roles to their particular user. For that, we have an object called role binding. Similarly, we use one more object to bind this role with the user called cluster binding which we use to bind the cluster roles to the particular user. Now, let us assume that we have a cluster and inside that cluster, we have a namespace. Within that namespace, we have a role and this role can be bound to a particular user using an object called role binding. Similarly, we have the cluster role. We can use this cluster role to bind the role to the particular user. Within this binding, you can use the role within the user. There is nothing more here you can bind. In this role binding, we don’t have any one-to-one relationship, we have many-to-many relationships. For example, we can attach a role to multiple users. Similarly, we can attach a single role to multiple users. We can attach multiple roles to a single user, as well. There is no one-to-one relationship in this role-based access.
03:55 - Creating a Namespace & Dev User
We need to follow a few steps before creating a user. For that, I’m going to change my directory to this .kube directory. I’m in this local directory. Now, I’m going to create a public key for this user called the dev user. Now I’m going to create a new public key for that user. I’m using this command to create a new user. Now I’m going to create and save the kube for this dev user. The CSR keys have been created.
05:30 - Adding an SSL Certificate & Qualitative User, Updating Config
Similarly, I’m going to update the config. On this config, I have updated the user name and the cluster and the namespace, and the user name. I’m going to update it. Now, I’m going to do this kubeconfig. Previously, there was no dev user and now we have the user called dev user in our config file. Similarly, we have created a context for the namespace called development and the context name is Dev user. Now, we are going to try to access the port using this dev user. Here, you can see that I haven’t mentioned any namespace yet, because we have updated the namespace in the context, as well. I’m going to try to get the port.
07:59 - Updating User Permissions
We are going to create a role and in the metadata, we have defined the namespace and the name of the role we are going to create inside the resource type. We are going to have mentioned what resource we are going to provide access for pod and pod logs. We are going to describe what action we are going to give permission for. We are going to give permission to get, watch, list, and update the pod. Now I’m going to create this manifest and update this manifest file, podreaderrole.yaml. This pod reader role has been created. Now I’m going to list this role. KubeCTL get role, I find and select, and this role has been created.
10:53 - Create a Role Binding
Let us try to access the port using this command. Previously, we were getting an access forbidden error, and now it shows that there is no resource found in this development namespace. We are going to try to create using the user called dev user. We are getting an access forbidden error because the dev user doesn’t have access to create the port. For now, I’m going to create a pod as an admin user in this namespace development. I’m going to get this port using this dev user. Now we are able to access this pod. This is how we are able to provide and restrict access using this role-based access control.
Vignesh joined nClouds in 2021 as a Support Engineer. He helps build infrastructure in AWS with his experience in AWS, DevOps, and cloud computing.