Method of regulating access
Based on roles of individual users
Roles are made of permissions for resources
Roles are defined …
Role
ClusterRole
Roles are applied …
RoleBinding
ClusterRoleBinding
Subjects are mostly service accounts
Role
defines permissions for the namespace
RoleBinding
assigns the role to a subject
ClusterRole
defines permissions
ClusterRoleBinding
assigns the role to a subject
ClusterRole
can be used in RoleBinding
This enables the reuse of cluster-wide roles
The role is available in the entire cluster
The rights apply in the namespace of the RoleBinding
Useful for pre-defined roles by a platform team
Show namespaced permissions
Show cluster-wide permissions
Show mixed permissions
Using kubectl auth can-i
to check RBAC
Demonstrate rakkess
(Cluster)Roles require verbs and (sub)resources
Find supported resources:
kubectl api-resources
(Cluster)Roles require verbs and (sub)resources
Accepted verbs : Create, get, list, watch, update, patch, delete
Find supported verbs for resources:
kubectl api-resources --output wide
(Cluster)Roles require verbs and (sub)resources
Some resources have subresources, e.g. pods/exec
Find supported verbs for subresources:
kubectl get --raw / | jq --raw-output '.paths[]' | grep "^/apis/" \
| while read -r API; do
echo "=== ${API}"
kubectl get --raw "${API}" \
| jq --raw-output 'select(.resources != null) | .resources[].name'
done
Subjects are referenced in (Cluster)RoleBindings
Can be created: kubectl create sa <name>
Token authentication maps to service accounts
Internally referenced by system:serviceaccount:<ns>:<name>
Authentication backends can add users and groups
Certificate authentication maps to users
Limit access to specific resources using resourceNames
```yaml [9] apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: configmap-updater rules:
kubectl
Create resources from the command line
kubectl create role
kubectl create clusterrole
kubectl create rolebinding
kubectl create clusterrolebinding
Creates and updates RBAC … including referenced namespaces
Full sync with --remove-extra-permissions
and --remove-extra-subjects
Use --dry-run=client
to investigate changes