Kubernetes Role Based Access Control Concepts: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(7 intermediate revisions by the same user not shown)
Line 4: Line 4:
=Overview=
=Overview=


In Kubernetes, granting a role to an application-specific service account is a best practice to ensure that the application is operated in a specified scope.  
In Kubernetes, granting a role to an application-specific [[Kubernetes_Security_Concepts#Service_Accounts_and_Roles|service account]] is a best practice to ensure that the application is operated in a specified security scope.  


<font color=darkgray>TODO:
<font color=darkgray>TODO:
* https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions
 
* https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/</font>
* https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/</font>
=Roles and Service Accounts=
<font color=darkgray>TODO:
* https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions</font>


=Cluster Role=
=Cluster Role=
Line 40: Line 45:
   - list
   - list
   - watch
   - watch
</syntaxhighlight>
==Cluster Administrator==
=Cluster Role Binding=
A ClusterRoleBinding can be bound to only one role.
<syntaxhighlight lang='yaml'>
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:masters
</syntaxhighlight>
</syntaxhighlight>


Line 69: Line 98:
</syntaxhighlight>
</syntaxhighlight>


=Cluster Role Binding=
=Role Binding=
 
A ClusterRoleBinding can be bound to only one role.
 
<syntaxhighlight lang='yaml'>
<syntaxhighlight lang='yaml'>
apiVersion: rbac.authorization.k8s.io/v1
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
kind: RoleBinding
metadata:
metadata:
   annotations:
   annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
   name: some-role-binding
   labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: cluster-admin
roleRef:
roleRef:
   apiGroup: rbac.authorization.k8s.io
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   kind: Role
   name: cluster-admin
   name: some-role
subjects:
subjects:
- apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
   kind: Group
  name: blue-sa
   name: system:masters
   namespace: blue
- kind: User
   name: some-user
</syntaxhighlight>
</syntaxhighlight>


=RBAC Operations=
=RBAC Operations=
 
* [[Kubernetes_RBAC_Operations#Create_a_Role|Create a role]]
* [[Kubernetes_RBAC_Operations#Assigning_a_Cluster_Role_to_a_Service_Account|Assigning a Cluster Role to a Service Account]]
* [[Kubernetes_RBAC_Operations#Create_a_Role_Binding|Create a role binding]]
* [[Kubernetes_RBAC_Operations#Assigning_a_Cluster_Role_to_a_Service_Account|Assign a cluster role to a service account]]

Latest revision as of 19:59, 23 September 2021

Internal

Overview

In Kubernetes, granting a role to an application-specific service account is a best practice to ensure that the application is operated in a specified security scope.

TODO:

Roles and Service Accounts

TODO:

Cluster Role

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: edit
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
  resourceVersion: "316"
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups:
  - ""
  resources:
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  - secrets
  - services/proxy
  verbs:
  - get
  - list
  - watch

Cluster Administrator

Cluster Role Binding

A ClusterRoleBinding can be bound to only one role.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:masters

Role

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: some-role
  namespace: some-namespace
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
- apiGroups:
  - ""
  resourceNames:
  - some-specific-resourcename
  resources:
  - configmaps
  verbs:
  - get
  - update
  - patch

Role Binding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
  name: some-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: some-role
subjects:
- kind: ServiceAccount
  name: blue-sa
  namespace: blue
- kind: User
  name: some-user

RBAC Operations