Scribd Logo
Upload

Welcome to Scribd!

  • 15 Rbac

    Uploaded by

    s.devops.practice
    6 views28 pages

    Original Title

    15 RBAC

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    6 views28 pages

    15 Rbac

    Uploaded by

    s.devops.practice

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 28

    AC

    RB

    Theory + LAB + Documents  All free WATCH NOW


    1. What is RBAC? Agenda of this video.
    2. Why we use RBAC?
    3. Type of RBAC
    • Role
    • ClusterRole
    4. How to create Role and ClusterRole?
    5. RoleBinding & ClusterRoleBinding.
    6. How to create Role & ClusterRole from command line?
    7. How to create user, group & serviceaccount in Kubernetes cluster?
    8. LAB of RBAC
    01 NOW WE WILL TALK ABOUT

    What is RBAC?
    RBAC stands for Role-based access control .

    RBAC is a method of regulating access to computer or network


    resources based on the roles of individual users within your
    organization.

    The RBAC API declares 4 kinds of Kubernetes object:


    1.Role
    2.RoleBinding
    3.ClusterRole
    4.ClusterRoleBinding
    02 NOW WE WILL TALK ABOUT

    Why we use RBAC?


    Master Worker1 Worker2

    Read &
    Write Read &
    Write Read Only

    Development Team Operation Team

    • They would like to maintain a • They would also like to maintain a space in
    space in the cluster. the cluster.
    • In this space, they want full access • In this space, some people need full
    to all their team members. access.
    • and some engineers need only read access.
    mkdir -p $HOME/.kube
    sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
    sudo chown $(id -u):$(id -g) $HOME/.kube/config
    Step 1 Step 2 Step 3
    kubectl get pods

    ETCD

    Authentication Authorization Admission Control

    Kubernetes control plane


    03 NOW WE WILL TALK ABOUT

    Type of RBAC.
    Type of RBAC.
    Role
    • A Role sets permissions within a particular namespace.
    • when you create a Role, you must specify the namespace it belongs in.
    • Role is a namespace object.

    ClusterRole
    • ClusterRole also set permission on recourses but at global level.
    • It is not a namespace object.
    • Defining permissions for namespace’s resources that provide access to all namespaces.
    04 NOW WE WILL TALK ABOUT

    How to create Role and ClusterRole?


    RBAC authorization uses the rbac.authorization.k8s.io API group to drive
    authorization decisions, allowing you to dynamically configure policies through
    the Kubernetes API.

    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
    namespace: core
    name: development-role-1
    rules:
    - apiGroups: [""]
    resources: ["pods", "pods/log", "deployment"]
    verbs: ["get", "list", "watch"]
    apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
    kind: Role kind: Role
    metadata: metadata:
    namespace: core name: developement-role-2
    name: developement-role-1 namespace: core
    rules: rules:
    - apiGroups: [""] - apiGroups:
    resources: ["pods", "pods/log", "deployment"] - ""
    verbs: ["get", "list", "watch"] resources: ["*"]
    verbs:
    - get
    - list
    - watch
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    name: admin-cr
    rules:
    - apiGroups:
    - ""
    resources: ["*"]
    verbs:
    - get
    - list
    - watch
    - create
    - update
    - patch
    - delete
    05 NOW WE WILL TALK ABOUT

    RoleBinding & ClusterRoleBinding.


    apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding kind: Role
    metadata:
    name: developement-cluster-1
    metadata:
    namespace: core namespace: core
    subjects: name: developement-role-1
    - kind: User
    name: raja
    rules:
    apiGroup: rbac.authorization.k8s.io - apiGroups: [""]
    roleRef: resources: ["pods", "pods/log", "deployment"]
    kind: Role
    name: developement-role-1
    verbs: ["get", "list", "watch"]
    apiGroup: rbac.authorization.k8s.io
    apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding kind: ClusterRole
    metadata: metadata:
    name: read-secrets-global-crb1 name: admin-cr
    roleRef: rules:
    kind: ClusterRole - apiGroups:
    name: admin-cr - ""
    apiGroup: rbac.authorization.k8s.io resources: ["*"]
    subjects: verbs:
    - kind: User - get
    name: raja - list
    apiGroup: rbac.authorization.k8s.io - watch
    - create
    - update
    - patch
    - delete
    06 NOW WE WILL TALK ABOUT

    How to create Role & ClusterRole from


    command?
    kubectl create -n core role developement11 --verb=get --verb=list --verb=watch --resource=pods

    kubectl create -n core role developement12 --verb=get,list,watch --resource=pods


    kubectl create -n core role developement13 --verb=get,list,watch,create --resource=Deployment,StatefulSet

    kubectl create -n core role developement13 --verb=get,list,watch,create --


    resource=Deployment,StatefulSet --resource-name=test-pod2

    kubectl create -n core rolebinding dev-rb-1 --role=developement11 --user=raja


    [root@master1 rbac]# kubectl auth can-I list pods --namespace core --as raja
    yes
    [root@master1 rbac]# kubectl auth can-I create pods --namespace core --as raja
    no
    [root@master1 rbac]# kubectl auth can-I list secrets --namespace core --as raja
    no
    kubectl create clusterrole deploy-secret-cr2 --verb=get,list,watch --resource=pods

    kubectl create clusterrole deploy-secret-cr3 --verb=get --resource=pods --resource-name=test-pod1,test-pod2

    kubectl create clusterrole deploy-secret-cr4 --verb=get,list,watch --resource=replicasets.apps,deployment

    kubectl create clusterrole deploy-admin-cr5 --verb=* --resource=*

    kubectl create rolebinding myapp-view-binding1 --clusterrole=deploy-secret-cr2 --user=raja -n=core

    kubectl create clusterrolebinding root-cluster-admin-binding --clusterrole=deploy-secret-cr2 --user=admin

    kubectl create clusterrolebinding myapp-crb1 --clusterrole=deploy-secret-cr2 --serviceaccount=core:myapp


    07 NOW WE WILL TALK ABOUT

    How to create user, group &


    serviceaccount in Kubernetes cluster?
    Normal User
    • Step 1. Generate the Key
    • Step 2. Create Certificate Signing Request (CSR)
    • Step 3. Download the Certificate (CRT) from CA (API)
    1. openssl
    2. easyrsa
    3. cfssl

    • Step 4. Use CRT + Key

    • URL: https://kubernetes.io/docs/tasks/administer-cluster/certificates/
    ServiceAccoun
    t
     What are Kubernetes Service Accounts?

     Why we use Service Account in Kubernetes?

     Default ServiceAccount.
    [root@master1 ~]# kubectl create deployment nginx --image=nginx
    deployment.apps/nginx created
    [root@master1 ~]# kubectl get pods
    NAME READY STATUS RESTARTS AGE
    nginx-76d6c9b8c-k2z67 1/1 Running 0 46s

    [root@master1 ~]# kubectl get pods nginx-76d6c9b8c-k2z67 -o yaml


    apiVersion: v1
    kind: Pod
    metadata:
    annotations:
    labels:
    app: nginx
    pod-template-hash: 76d6c9b8c
    name: nginx-76d6c9b8c-k2z67
    namespace: default
    .
    .
    .
    serviceAccount: default
    serviceAccountName: default
    root@nginx-76d6c9b8c-k2z67:/# cat /var/run/secrets/kubernetes.io/serviceaccount/token
    eyJhbGciOiJSUzI1NiIsImtpZCI6ImtkUnEzcnMwU0RtZEtOcUdwLUtOZHpJcjlIVUMxbUZ2b3F6
    UzBUWU5lVk0ifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdX
    N0ZXIubG9jYWwiXSwiZXhwIjoxNzE5OTIxNTM3LCJpYXQiOjE2ODgzODU1MzcsImlzcyI6Imh0d
    HBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI
    6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJuZ2lueC03NmQ2YzliOGMtazJ
    6NjciLCJ1aWQiOiI5YzZiYzdmNi1hZGRjLTQxNGMtYmIwNi03MWNjOWEzZmU0YjQifSwic2Vyd
    mljZWFjY291bnQiOnsibmFtZSI6ImRlZmF1bHQiLCJ1aWQiOiJmZGU3NTk3Yi03ZjFiLTRiOWEtY
    mUxMC04NmVlMzY0NmNlYzAifSwid2FybmFmdGVyIjoxNjg4Mzg5MTQ0fSwibmJmIjoxNjg4
    Mzg1NTM3LCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWZhdWx0In0.
    ZFYMQRAlpjkn9RekdppTuGEsW45X90vSeUyhKJ7580JAQZv-
    JU43qFgFPDgPBodfDmPB7FZ4DEqKGRdEiwPOUioihkBbBs2I-
    ET_Jwewrln8mArjyUli4qJGXcT89uU54g5RyypNzbIX5UAXV_zyg0JZZy99rBbxf-
    qhpuYEUSbwVquBrCnJoaWhLmwTnBdrRUDjJXZ1ThNUz-
    xdKOEwyCeOB7L8UYRTd2XzgIOYEurHU6KOkDsTxxq1uxg9GMd-
    hJMnYpmYzIybPLsQYIeki1Ro83TmuUotF6SbQqltF8nmqXhzouS-
    htN_IyGPnK2TwTHGsOouwLIQcdK0-Evm-groot@nginx-76d6c9b8c-k2z67:/#
    ServiceAccoun
    t
     What are Kubernetes Service Accounts?

     Why we use Service Account in Kubernetes?

     Default Service Account.

     How to create Service Account?


    kubectl create namespace app-team1
    namespace/app-team1 created

    kubectl create clusterrole deployment-clusterrole --verb=create --


    resource=Deployment,StatefulSet,DaemonSet
    clusterrole.rbac.authorization.k8s.io/deployment-clusterrole created

    kubectl create serviceaccount cicd-token -n app-team1


    serviceaccount/cicd-token created

    kubectl create clusterrolebinding deploy-b --clusterrole=deployment-clusterrole --


    serviceaccount=app-team1:cici-token
    clusterrolebinding.rbac.authorization.k8s.io/deploy-b created

    kubectl auth can-i create Deployment --as system:serviceaccount:app-team1: cicd-token --


    namespace=app-team1
    08 NOW WE WILL TALK ABOUT

    LAB + EXAM
    Role ClusterRole Rules
    User Where the
    Group
    ServiceAccount
    RoleBinding ClusterRoleBinding rule is
    applied

    Apply on 1 Apply on Cluster


    Namespace only

    You might also like