RBAC: How to limit access on Kubernetes cluster’s namespace.
This post demonstrates basic RBAC authorization for the Kubernetes cluster. We will grant read-only access to cluster resources. The examples here described were tested Kubeadm, but they can be applied to any Kubernetes cluster.
Let’s get started.
User: testgrp
Namespace: default
Access: [“get”, “list”, “watch”]
resources: [“deployments”, “replicasets”, “pods”, “services”]
Create User Credentials.
1. Create a private key for the user.
openssl genrsa -out testgrp.key 2048
2. Create a certificate sign request(CSR) testgrp.csr using the private key testgrp.key. Make sure you specify CN and O as per your organization. For testing purpose, I am using Organization as IT.
openssl req -new -key testgrp.key -out testgrp.csr \
-subj “/CN=testgrp/O=IT”
3. Generate the certificate testgrp.crt using testgrp.csr. The signing authority is Kubernetes default CA.
openssl x509 -req -in testgrp.csr \
-CA /etc/kubernetes/pki/ca.crt \
-CAkey /etc/kubernetes/pki/ca.key \
-CAcreateserial -out testgrp.crt -days 500
Store both testgrp.crt and testgrp.key in a secure location(~/.cert/) in local machine.
4. Add a new context with the new credentials for your Kubernetes cluster.
kubectl config set-credentials testgrp \
— client-certificate=/home/testgrp/.certs/testgrp.crt \
— client-key=/home/testgrp/.certs/testgrp.key
kubectl config set-context testgrp-context
5. Create a read-only-role.yaml file with the content below.
kubectl apply -f read-only-role.yaml
6. Bind the role with the user testgrp.
kubectl create -f rolebinding-read.yaml
7. Check testgrp access.
We have created a user with limited access to the cluster.
Note: For more information, Check https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/