th.d
th.d

Accounts, Roles and Role-Bindings

Accounts

There are mainly two types of accounts in Kuberenetes.

  1. User Accounts > managed by Administrators
  2. Service Accounts > managed by Kubernets

The scope of this post is limited to User Accounts

An account provides the possibility to speak with the control-plane-nodes, but a user account only is not allowed to interact with ressources in the cluster.

The possibility to interact with the cluster ressources is manged by Roles, Cluster Roles and Role Bindings.

The concept of this role management is called RBAC - Role Base Access Control.

To create an user account do:

create user account
# generate a key file
> openssl genrsa \
  -out janedoe.key 3072

# generate a csr for organistation "Dev"
> openssl req -new \
  -key janedoe.key \
  -out janedoe.csr \
  -subj "/CN=janedoe/O=Dev"

# create cert and sign them with Kubernets CA
> openssl x509 -req \
  -in janedoe.csr \
  -CA /path/to/ca.crt \
  -CAkey /path/to/ca.key \
  -CAcreateserial \
  -out janedoe.crt \
  -days 700

# read cert to verify issuer
> openssl x509 -text -noout -in janedoe.crt | head -20
generate client kubeconfig
# create basic kubeconfig file
> kubectl config --kubeconfig=janedoe-config \
  --embed-certs=true \
  set-cluster local-talos-cluster \
  --server=https://10.10.10.10:6443 \
  --certificate-authority=/path/to/ca.crt

# define cluster credentials
> kubectl config --kubeconfig=janedoe-config \
  --embed-certs=true \
  set-credentials janedoe \
  --client-certificate=janedoe.crt \
  --client-key=janedoe.key

# define target cluster with default namespace "development"
> kubectl config --kubeconfig=janedoe-config \
  set-context standard \
  --cluster=local-talos-cluster \
  --namespace=development \
  --user=janedoe

# set default context
> kubectl config --kubeconfig=janedoe-config \
  use-context standard

Try to connect to the cluster and list some ressources where you are not allowed to read from

# test connection (will fail cause of missing RBAC)
> kubectl --kubeconfig janedoe-config get ns
  ...
   Error from server (Forbidden): namespaces is forbidden: User "janedoe" cannot list resource "namespaces" in API group "" at the cluster scope

Roles and Role Bindings (RBAC)

An RBAC Role or ClusterRole contains rules that represents a permission set. The permissions are purely additive (theer are no “deny” rules).

There are main differences between Roles and Cluster-Roles :

Roles: Namespace seperated rules which will match only on the given namespace Cluster-Roles: Non-namespaced cluster resources rules

Creating a role by using Kubernetes manifest of kind Role:

roleForJaneDoe
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: roleForJaneDoe
  namespace: developement
 rules:
- apiGroups:
  - ""
  resources:
  - pods
  - configmaps
  verbs:
  - '*'

Creating a role-binding by using Kubernetes manifest of kind RoleBinding:

roleBindingForJaneDoe
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: roleBindingForJaneDoe
  namespace: development
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: roleForJaneDoe
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: janedoe
Prev
Add Container Registry Credentials
Next
Resources