KKUBERNETES

Kubernetes RBAC: A Practical Guide to Role, and Role Bindings

  • byArun Lal
  • February 12, 2024
  • 2 minute read
0
Shares
0
0

In this blog, we are going to explore Role and RoleBinding on Kubernetes with hands-on.

In Kubernetes, we can see two types of objects, which are Cluster-scoped and Namespace-scoped.

As an admin, if I want to give a user access to particular objects on a particular Namespace with certain permission, I can use the Role and RoleBinding.

For example, In my cluster, I have a Namespace called Prometheus-operator.

kubectl get all -n prometheus-operator
list objects of a namespace

A lot of objects are available in that Namespace, I could list all of them because I am an admin user. 

kubectl auth can-i delete pods -n prometheus-operator

If I use this command, I can see yes output on the terminal, as an admin I can do anything on this Namespace.

Now, I am going to create a Service Account, assign certain permission and see how that works on.

Step 1: Create a Service Account

Let’s create a Service Account to test Role Based Access Control (RBAC) on Cluster

cat << EOF > sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: read-user
  namespace: prometheus-operator
EOF
kubectl apply -f sa.yaml

Step 2: Create a Role Object

Now, I am creating a Role with read-only permission to this Namespace. 

cat << EOF > role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: prometheus-operator
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list"]
EOF

I am giving permission only to list the Pods of the prometheus-operator Namespace.

kubectl apply -f role.yaml

Step 3: Create a Role Binding Object

We have created a Role with the required permission, so now, we have to bind it with the Namespace and the ServiceAccount using the RoleBinding object. 

cat << EOF > rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods-role-binding
  namespace: prometheus-operator
subjects:
- kind: ServiceAccount
  name: read-user
  namespace: prometheus-operator
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
EOF

RoleBinding object will connect the Service Account and the Role together.

kubectl apply -f rolebinding.yaml

To get the details about the Role Binding after successfully completing the deployment. 

kubectl describe rolebindings.rbac.authorization.k8s.io -n prometheus-oper
ator read-role-binding
describe role binding on kubernetes

The setup is completed so let’s check the Pods can be listed by read-user Service Account.

kubectl get pods -n prometheus-operator --as=system:serviceaccount:prometheus-operator:read-user
list pods

We know that this Service Account doesn’t have permission more than listing Pods in this Particular Namespace. 

kubectl get svc -n prometheus-operator --as=system:serviceaccount:pr
ometheus-operator:read-user

I have tried to list the available Service objects but I am facing an error.

kubernetes rbac error

Conclusion

RBAC is one of the methods of Authorization on Kubernetes, to knowing about Role and RoleBinding is important for those who are working on Kubernetes as well as interested in Kubernetes If you are preparing for the CKA certification, you might face questions related to the RBAC.

0 Shares:
Share 0
Tweet 0

I am a CKA certified professional with expertise in RHCSA, RHCE, Ansible, Docker, Terraform, Podman, and AWS. With a solid foundation in Linux system and Kubernetes, my day to day work is to work on Kubernetes based implementations for clients.

Leave a Reply

Your email address will not be published. Required fields are marked *

— Previous article

Single-Container Pods vs. Multi-Container Pods: What's the Difference?

Next article —

Kubernetes RBAC: How to Create Cluster Roles and Bindings?

You May Also Like