Professional Documents
Culture Documents
15 Rbac
15 Rbac
RB
What is RBAC?
RBAC stands for Role-based access control .
Read &
Write Read &
Write Read Only
• They would like to maintain a • They would also like to maintain a space in
space in the cluster. the cluster.
• In this space, they want full access • In this space, some people need full
to all their team members. access.
• and some engineers need only read access.
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
Step 1 Step 2 Step 3
kubectl get pods
ETCD
Type of RBAC.
Type of RBAC.
Role
• A Role sets permissions within a particular namespace.
• when you create a Role, you must specify the namespace it belongs in.
• Role is a namespace object.
ClusterRole
• ClusterRole also set permission on recourses but at global level.
• It is not a namespace object.
• Defining permissions for namespace’s resources that provide access to all namespaces.
04 NOW WE WILL TALK ABOUT
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: core
name: development-role-1
rules:
- apiGroups: [""]
resources: ["pods", "pods/log", "deployment"]
verbs: ["get", "list", "watch"]
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
namespace: core name: developement-role-2
name: developement-role-1 namespace: core
rules: rules:
- apiGroups: [""] - apiGroups:
resources: ["pods", "pods/log", "deployment"] - ""
verbs: ["get", "list", "watch"] resources: ["*"]
verbs:
- get
- list
- watch
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: admin-cr
rules:
- apiGroups:
- ""
resources: ["*"]
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
05 NOW WE WILL TALK ABOUT
• URL: https://kubernetes.io/docs/tasks/administer-cluster/certificates/
ServiceAccoun
t
What are Kubernetes Service Accounts?
Default ServiceAccount.
[root@master1 ~]# kubectl create deployment nginx --image=nginx
deployment.apps/nginx created
[root@master1 ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-76d6c9b8c-k2z67 1/1 Running 0 46s
LAB + EXAM
Role ClusterRole Rules
User Where the
Group
ServiceAccount
RoleBinding ClusterRoleBinding rule is
applied