Difference between revisions of "Kubernetes RBAC Example"
Jump to navigation
Jump to search
(6 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | # RBAC Pod Runner via ServiceAccount | ||
+ | - https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengaddingserviceaccttoken.htm | ||
+ | |||
+ | Why use service account vs user? https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/ | ||
+ | |||
+ | Simple create and delete of namespace and test service account pod that could be used as a runner | ||
+ | |||
+ | ## wrapper tool | ||
+ | https://gist.github.com/innovia/fbba8259042f71db98ea8d4ad19bd708 | ||
+ | |||
+ | This example is based off of | ||
+ | |||
+ | - https://medium.com/@rschoening/read-only-access-to-kubernetes-cluster-fcf84670b698 | ||
- https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html | - https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html | ||
− | |||
+ | # Use Service Account for Namespaced Admin Runner | ||
+ | |||
+ | This will create and destroy namespace test | ||
+ | |||
+ | create.sh | ||
+ | ``` | ||
+ | #!/usr/bin/env bash | ||
+ | set -e | ||
+ | # namespace=test | ||
+ | |||
+ | kubectl create namespace test | ||
+ | kubectl config set-context --current --namespace=test | ||
+ | kubectl create sa test-sa | ||
+ | |||
+ | cat <<EOF | kubectl apply -f - | ||
+ | apiVersion: v1 | ||
+ | kind: Pod | ||
+ | metadata: | ||
+ | name: test | ||
+ | namespace: test | ||
+ | spec: | ||
+ | serviceAccountName: test-sa | ||
+ | containers: | ||
+ | - name: test | ||
+ | image: alpine | ||
+ | args: | ||
+ | - sleep | ||
+ | - "1000000" | ||
+ | EOF | ||
+ | |||
+ | sleep 5 | ||
+ | |||
+ | |||
+ | cat <<EOF | kubectl apply -f - | ||
+ | apiVersion: rbac.authorization.k8s.io/v1 | ||
+ | kind: ClusterRole | ||
+ | metadata: | ||
+ | annotations: | ||
+ | rbac.authorization.kubernetes.io/autoupdate: "true" | ||
+ | labels: | ||
+ | name: test-read-only | ||
+ | # namespace: test this is only in service account | ||
+ | rules: | ||
+ | - apiGroups: | ||
+ | - "" | ||
+ | resources: ["*"] | ||
+ | verbs: | ||
+ | - get | ||
+ | - list | ||
+ | - watch | ||
+ | - apiGroups: | ||
+ | - extensions | ||
+ | resources: ["*"] | ||
+ | verbs: | ||
+ | - get | ||
+ | - list | ||
+ | - watch | ||
+ | - apiGroups: | ||
+ | - apps | ||
+ | resources: ["*"] | ||
+ | verbs: | ||
+ | - get | ||
+ | - list | ||
+ | - watch | ||
+ | EOF | ||
+ | |||
+ | cat <<EOF | kubectl apply -f - | ||
+ | kind: ClusterRoleBinding | ||
+ | apiVersion: rbac.authorization.k8s.io/v1 | ||
+ | metadata: | ||
+ | name: test-binding | ||
+ | subjects: | ||
+ | - kind: ServiceAccount | ||
+ | name: test-sa | ||
+ | namespace: test | ||
+ | roleRef: | ||
+ | kind: ClusterRole | ||
+ | name: test-read-only | ||
+ | apiGroup: rbac.authorization.k8s.io | ||
+ | EOF | ||
+ | |||
+ | |||
+ | kubectl get pod test -o yaml | grep serviceAccount | ||
+ | |||
+ | kubectl exec test -- apk add curl | ||
+ | kubectl exec test -- curl -L "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" -o /bin/kubectl | ||
+ | kubectl exec test -- chmod +x /bin/kubectl | ||
+ | kubectl exec test -- kubectl get pods | ||
+ | kubectl exec test -- mount | grep secrets | ||
+ | kubectl exec test -- ls /run/secrets/kubernetes.io/serviceaccount/ | ||
+ | kubectl exec test -- cat /run/secrets/kubernetes.io/serviceaccount/namespace | ||
+ | kubectl exec test -- cat /run/secrets/kubernetes.io/serviceaccount/token | ||
+ | kubectl exec test -- cat /run/secrets/kubernetes.io/serviceaccount/ca.crt | ||
+ | ``` | ||
+ | |||
+ | delete.sh | ||
+ | ``` | ||
+ | #!/usr/bin/env bash | ||
+ | set -e | ||
+ | # namespace=test | ||
+ | |||
+ | # kubectl create namespace test | ||
+ | kubectl config set-context --current --namespace=test | ||
+ | kubectl exec test -- kubectl get pods | ||
+ | kubectl delete ClusterRoleBinding test-binding | ||
+ | sleep 15 | ||
+ | kubectl get pods --field-selector=status.phase=Running | ||
+ | kubectl exec test -- kubectl get pods || true | ||
+ | kubectl exec test -- mount | grep secrets | ||
+ | kubectl exec test -- ls /run/secrets/kubernetes.io/serviceaccount/ | ||
+ | kubectl delete clusterrole test-read-only | ||
+ | kubectl delete sa test-sa | ||
+ | kubectl delete pod test | ||
+ | kubectl delete namespace test | ||
+ | ``` | ||
+ | |||
+ | |||
+ | # Extract creds via command if wanted | ||
``` | ``` | ||
s=$(kubectl describe sa test-sa | grep Tokens | awk '{print $2}'); kubectl get secret $s -o "jsonpath={.data['ca\.crt']}" | s=$(kubectl describe sa test-sa | grep Tokens | awk '{print $2}'); kubectl get secret $s -o "jsonpath={.data['ca\.crt']}" | ||
s=$(kubectl describe sa test-sa | grep Tokens | awk '{print $2}'); kubectl get secret $s -o "jsonpath={.data['ca\.crt']}" | s=$(kubectl describe sa test-sa | grep Tokens | awk '{print $2}'); kubectl get secret $s -o "jsonpath={.data['ca\.crt']}" | ||
+ | |||
+ | kubectl exec test -- ls /run/secrets/kubernetes.io/serviceaccount/ | ||
+ | kubectl exec test -- cat /run/secrets/kubernetes.io/serviceaccount/namespace | ||
+ | kubectl exec test -- cat /run/secrets/kubernetes.io/serviceaccount/token | ||
+ | kubectl exec test -- cat /run/secrets/kubernetes.io/serviceaccount/ca.crt | ||
``` | ``` | ||
+ | |||
+ | https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ |
Latest revision as of 21:03, 5 August 2021
RBAC Pod Runner via ServiceAccount
Why use service account vs user? https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/
Simple create and delete of namespace and test service account pod that could be used as a runner
wrapper tool
https://gist.github.com/innovia/fbba8259042f71db98ea8d4ad19bd708
This example is based off of
- https://medium.com/@rschoening/read-only-access-to-kubernetes-cluster-fcf84670b698
- https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html
Use Service Account for Namespaced Admin Runner
This will create and destroy namespace test
create.sh
#!/usr/bin/env bash set -e # namespace=test kubectl create namespace test kubectl config set-context --current --namespace=test kubectl create sa test-sa cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Pod metadata: name: test namespace: test spec: serviceAccountName: test-sa containers: - name: test image: alpine args: - sleep - "1000000" EOF sleep 5 cat <<EOF | kubectl apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: name: test-read-only # namespace: test this is only in service account rules: - apiGroups: - "" resources: ["*"] verbs: - get - list - watch - apiGroups: - extensions resources: ["*"] verbs: - get - list - watch - apiGroups: - apps resources: ["*"] verbs: - get - list - watch EOF cat <<EOF | kubectl apply -f - kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: test-binding subjects: - kind: ServiceAccount name: test-sa namespace: test roleRef: kind: ClusterRole name: test-read-only apiGroup: rbac.authorization.k8s.io EOF kubectl get pod test -o yaml | grep serviceAccount kubectl exec test -- apk add curl kubectl exec test -- curl -L "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" -o /bin/kubectl kubectl exec test -- chmod +x /bin/kubectl kubectl exec test -- kubectl get pods kubectl exec test -- mount | grep secrets kubectl exec test -- ls /run/secrets/kubernetes.io/serviceaccount/ kubectl exec test -- cat /run/secrets/kubernetes.io/serviceaccount/namespace kubectl exec test -- cat /run/secrets/kubernetes.io/serviceaccount/token kubectl exec test -- cat /run/secrets/kubernetes.io/serviceaccount/ca.crt
delete.sh
#!/usr/bin/env bash set -e # namespace=test # kubectl create namespace test kubectl config set-context --current --namespace=test kubectl exec test -- kubectl get pods kubectl delete ClusterRoleBinding test-binding sleep 15 kubectl get pods --field-selector=status.phase=Running kubectl exec test -- kubectl get pods || true kubectl exec test -- mount | grep secrets kubectl exec test -- ls /run/secrets/kubernetes.io/serviceaccount/ kubectl delete clusterrole test-read-only kubectl delete sa test-sa kubectl delete pod test kubectl delete namespace test
Extract creds via command if wanted
s=$(kubectl describe sa test-sa | grep Tokens | awk '{print $2}'); kubectl get secret $s -o "jsonpath={.data['ca\.crt']}" s=$(kubectl describe sa test-sa | grep Tokens | awk '{print $2}'); kubectl get secret $s -o "jsonpath={.data['ca\.crt']}" kubectl exec test -- ls /run/secrets/kubernetes.io/serviceaccount/ kubectl exec test -- cat /run/secrets/kubernetes.io/serviceaccount/namespace kubectl exec test -- cat /run/secrets/kubernetes.io/serviceaccount/token kubectl exec test -- cat /run/secrets/kubernetes.io/serviceaccount/ca.crt
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/