RBAC: How to limit access on Kubernetes cluster’s namespace.

This post demonstrates basic RBAC authorization for the Kubernetes cluster. We will grant read-only access to cluster resources. The examples here described were tested Kubeadm, but they can be applied to any Kubernetes cluster.

Let’s get started.

User: testgrp

Namespace: default

Access: [“get”, “list”, “watch”]

resources: [“deployments”, “replicasets”, “pods”, “services”]

Create User Credentials.

1. Create a private key for the user.

openssl genrsa -out testgrp.key 2048

2. Create a certificate sign request(CSR) testgrp.csr using the private key testgrp.key. Make sure you specify CN and O as per your organization. For testing purpose, I am using Organization as IT.

openssl req -new -key testgrp.key -out testgrp.csr \
-subj “/CN=testgrp/O=IT”

3. Generate the certificate testgrp.crt using testgrp.csr. The signing authority is Kubernetes default CA.

openssl x509 -req -in testgrp.csr \

-CA /etc/kubernetes/pki/ca.crt \

-CAkey /etc/kubernetes/pki/ca.key \

-CAcreateserial -out testgrp.crt -days 500

Store both testgrp.crt and testgrp.key in a secure location(~/.cert/) in local machine.

4. Add a new context with the new credentials for your Kubernetes cluster.

kubectl config set-credentials testgrp \

— client-certificate=/home/testgrp/.certs/testgrp.crt \

— client-key=/home/testgrp/.certs/testgrp.key

kubectl config set-context testgrp-context

5. Create a read-only-role.yaml file with the content below.

kubectl apply -f read-only-role.yaml

6. Bind the role with the user testgrp.

kubectl create -f rolebinding-read.yaml

7. Check testgrp access.

We have created a user with limited access to the cluster.

Note: For more information, Check https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/