There are 3 elements involved in RBAC. In this post we are going to see how to provide user level access to resources.
Subjects - Users or Process that wants access to Kubernetes API
Resources - Kubernetes API objects like pods, deployments etc
Verbs - Set of operations like get, watch create etc
I am using the Virtualbox(running in Ubuntu 18.04 physical machine) for this entire setup . The physical machine is Dell inspiron laptop with 12GB RAM , Intel® Core™ i7-6500U CPU @ 2.50GHz × 4 and 512GB SSD hardisk.
Step 1: Create a private key
Create a new directly and navigate to the directory
Use openssl command a generate a private key user1.key
Step 2: Generate a CSR
Use the private key generated in the privous step and generate the certificate signing request(csr)
Step 3: Sign the CSR and generate certificate
The kubernetes cluster have the CA(certificate authority) key and certificate available under /etc/kubernetes/pki location
Use the CA certificate and key to sign the CSR
Now we have the private key user1.key and signed certificate user1.crt
Step 4: Set credential for the user
Now set credential for the user user1 with the private key and the signed certificate.
Step 5: Set context for the user
Now set the new context with the username , cluster etc.
We can also map the context to specific namespace using the –namespacec option. By default it will take the default namespace
Now we can see there are 2 context created.
Step 6: Create a role
Create a role and map the resources and verb required.
Step 7: Create a rolebinding
Create a rolebinding and map the role and user.
Step 8: Verify role and rolebinding
List the role and rolebinding and verify both are created.
Step 9: Change the context and verify role based access
Switch to newly created contesxt user1-context
Now we can see the current context is switched to user1-context.
Try to create a deployement
The deployment creation is failed because the new context has resource mapped only for pod.
Now lets create a pod and verify the status
We can see now the pod created successfully and running in the new context.
We can also test the permission of user using the below command