create users and define RBAC in Kubernetes3 min read

When you deploy the Kubernetes cluster for your microservice deployment, there will be some use case that you need to provide some access to other users( it can be developers) to the Kubernetes cluster to manage their microservice.

When you create a Kubernetes cluster(self-hosted) it comes with an admin user called cluster-admin, but you cannot provide this user credentials to dev because cluster-admin has full access to the k8 cluster. Any small mistake can create a bigger issue in the Kubernetes cluster.

In order to tackle this kind of situation, it’s always recommended to create a separate user for the specific user and assign the limited role based on the requirements.

So in this tutorial, I will be showing you how to create a user and provide limited access to a specific namespace.

Because my user prabhin belongs to the developer group and he needs to manage all the resources under the data-collection namespace.

Let’s see how to do that.

 

Create a new user called prabhin

Generate the private key for the prabhin

 

openssl genrsa -out prabhin.key 2048

Generate the certificate sign request (CSR) for the new prabhin

 

 

openssl req -new -key prabhin.key -out prabhin.csr -subj "/CN=prabhin/O=admin"

CN refers to the username, O refers to the group name where the prabhin belongs to, here admin is the groupname

Generate the certificate for prabhin user signed by Kubernetes CA

 

openssl x509 -req -in prabhin.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out prabhin.crt -days 500

Create the .kube/confg file for the new prabhin

 

 

apiVersion: v1
clusters:
- cluster:
   certificate-authority-data: {add the kubernetes CA certificate information}
   server: https://{replace the IP address of the k8 cluster}:6443
  name: kubernetes
contexts:
- context:
   cluster: kubernetes
   prabhin: prabhin
  name: prabhin-context
current-context: prabhin-context
kind: Config
preferences: {}
users:
- name: prabhin
  prabhin:
   client-certificate: /path/to/cert/prabhin.crt
   client-key: /path/to/key/prabhin.key
 

 

Create the role for the data-collection namespace

 

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
      name: editor
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]
- apiGroups: ["batch"]
  resources:
  - jobs
  - cronjobs
  verbs: ["*"]
- apiGroups: ["autoscaling"]
  resources: ["horizontalpodautoscalers"]
  verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]

 

kubectl -n data-collection apply -f role.yaml

Create Role binding in the data-collection namespace

 

#assign to group
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
  name: editor-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: editor
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: {group-name}

if you see above here the role is bind based on the group name. So users with dev groups assigned will get access to the data-collection namespace with the above-mentioned roles.

If you need assign based on username it will be like below

- kind: User
name: prabhin

It will be very difficult when you assign role binding based on username, so it’s always recommended to group the users, so it will be easier.

 

kubectl -n data-collection apply -f rolebinding-apm.yaml

Prabhin Prabharkaran Administrator
DevOps Engineer

He is a Technical professional. He is a person who loves to share tricks and tips on the Internet. He Posts what he does!

follow me
We need your support!!
Other Amount:
techrunnr.com:
#1
#2
#3
Questions Answered
Articles Written
Overall Points

Prabhin Prabharkaran

He is Technical professional. He is a person who loves to share tricks and tips on the Internet. He Posts what he does!!

You may also like...

Leave a Reply