Kubernetes Role Based Access Control Concepts: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
(6 intermediate revisions by the same user not shown) | |||
Line 4: | Line 4: | ||
=Overview= | =Overview= | ||
In Kubernetes, granting a role to an application-specific service account is a best practice to ensure that the application is operated in a specified scope. | In Kubernetes, granting a role to an application-specific [[Kubernetes_Security_Concepts#Service_Accounts_and_Roles|service account]] is a best practice to ensure that the application is operated in a specified security scope. | ||
<font color=darkgray>TODO: | <font color=darkgray>TODO: | ||
* https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/</font> | * https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/</font> | ||
=Roles and Service Accounts= | |||
<font color=darkgray>TODO: | |||
* https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions</font> | |||
=Cluster Role= | =Cluster Role= | ||
Line 41: | Line 46: | ||
- watch | - watch | ||
</syntaxhighlight> | </syntaxhighlight> | ||
==Cluster Administrator== | |||
=Cluster Role Binding= | =Cluster Role Binding= | ||
Line 104: | Line 110: | ||
name: some-role | name: some-role | ||
subjects: | subjects: | ||
- | - kind: ServiceAccount | ||
kind: User | name: blue-sa | ||
namespace: blue | |||
- kind: User | |||
name: some-user | name: some-user | ||
</syntaxhighlight> | </syntaxhighlight> | ||
=RBAC Operations= | =RBAC Operations= | ||
* [[Kubernetes_RBAC_Operations#Create_a_Role|Create a role]] | |||
* [[Kubernetes_RBAC_Operations#Assigning_a_Cluster_Role_to_a_Service_Account| | * [[Kubernetes_RBAC_Operations#Create_a_Role_Binding|Create a role binding]] | ||
* [[Kubernetes_RBAC_Operations#Assigning_a_Cluster_Role_to_a_Service_Account|Assign a cluster role to a service account]] |
Latest revision as of 19:59, 23 September 2021
Internal
Overview
In Kubernetes, granting a role to an application-specific service account is a best practice to ensure that the application is operated in a specified security scope.
TODO:
Roles and Service Accounts
TODO:
Cluster Role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: edit
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-admin: "true"
resourceVersion: "316"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
Cluster Administrator
Cluster Role Binding
A ClusterRoleBinding can be bound to only one role.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:masters
Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: some-role
namespace: some-namespace
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- apiGroups:
- ""
resourceNames:
- some-specific-resourcename
resources:
- configmaps
verbs:
- get
- update
- patch
Role Binding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
name: some-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: some-role
subjects:
- kind: ServiceAccount
name: blue-sa
namespace: blue
- kind: User
name: some-user