Kubernetes Role Based Access Control Concepts
Jump to navigation
Jump to search
Internal
Overview
In Kubernetes, granting a role to an application-specific service account is a best practice to ensure that the application is operated in a specified security scope.
TODO:
Roles and Service Accounts
TODO:
Cluster Role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: edit
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-admin: "true"
resourceVersion: "316"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
Cluster Administrator
Cluster Role Binding
A ClusterRoleBinding can be bound to only one role.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:masters
Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: some-role
namespace: some-namespace
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- apiGroups:
- ""
resourceNames:
- some-specific-resourcename
resources:
- configmaps
verbs:
- get
- update
- patch
Role Binding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
name: some-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: some-role
subjects:
- kind: ServiceAccount
name: blue-sa
namespace: blue
- kind: User
name: some-user