August 06, 2019

RBAC in k8s

k8s auth

Definitions and examples

Resources

The set of Kubernetes API Objects available in the cluster.
Examples:

Pods
Deployments
Services
Nodes
PersistentVolumes

Verbs

The set of operations that can be executed to the resources.
Examples:

list
get
watch
patch
delete

Subjects

The set of users and processes that want to access the Kubernetes API.

Developer
Administrator
Process

Users: These are global, and meant for humans or processes living outside the cluster. ServiceAccounts: These are namespaced and meant for intra-cluster processes running inside pods.

Roles are used to grant permissions to a resource within a namespace. Will connect API Resources and Verbs. These can be reused for different subjects. These are binded to one namespace (we cannot use wildcards to represent more than one, but we can deploy the same role object in different namespaces). If we want the role to be applied cluster-wide, the equivalent object is called ClusterRoles.

to read all clusterroles:
kubectl get clusterroles view -o yaml

RoleBinding and ClusterroleBindings

Role bindings are used to assign roles for a given namespace. This approach lets you logically segregate a single AKS cluster, with users only able to access the application resources in their assigned namespace. If you need to bind roles across the entire cluster, or to cluster resources outside a given namespace, you can instead use ClusterRoleBindings. Will connect the remaining entity-subjects. Given a role, which already binds API Objects and verbs, we will establish which subjects can use it. For the cluster-level, non-namespaced equivalent, there are ClusterRoleBindings.

example for creating a clusterroleBinding:

kubectl create clusterrolebinding kubernetes-dashboard \
   --clusterrole=view \
   --serviceaccount=kube-system:kubernetes-dashboard