Difference between revisions of "Kubernetes RBAC Example"
Jump to navigation
Jump to search
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
# RBAC Pod Runner via ServiceAccount | # RBAC Pod Runner via ServiceAccount | ||
+ | - https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengaddingserviceaccttoken.htm | ||
Why use service account vs user? https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/ | Why use service account vs user? https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/ | ||
Line 54: | Line 55: | ||
labels: | labels: | ||
name: test-read-only | name: test-read-only | ||
− | namespace: test | + | # namespace: test this is only in service account |
rules: | rules: | ||
- apiGroups: | - apiGroups: |
Latest revision as of 21:03, 5 August 2021
RBAC Pod Runner via ServiceAccount
Why use service account vs user? https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/
Simple create and delete of namespace and test service account pod that could be used as a runner
wrapper tool
https://gist.github.com/innovia/fbba8259042f71db98ea8d4ad19bd708
This example is based off of
- https://medium.com/@rschoening/read-only-access-to-kubernetes-cluster-fcf84670b698
- https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html
Use Service Account for Namespaced Admin Runner
This will create and destroy namespace test
create.sh
#!/usr/bin/env bash set -e # namespace=test kubectl create namespace test kubectl config set-context --current --namespace=test kubectl create sa test-sa cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Pod metadata: name: test namespace: test spec: serviceAccountName: test-sa containers: - name: test image: alpine args: - sleep - "1000000" EOF sleep 5 cat <<EOF | kubectl apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: name: test-read-only # namespace: test this is only in service account rules: - apiGroups: - "" resources: ["*"] verbs: - get - list - watch - apiGroups: - extensions resources: ["*"] verbs: - get - list - watch - apiGroups: - apps resources: ["*"] verbs: - get - list - watch EOF cat <<EOF | kubectl apply -f - kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: test-binding subjects: - kind: ServiceAccount name: test-sa namespace: test roleRef: kind: ClusterRole name: test-read-only apiGroup: rbac.authorization.k8s.io EOF kubectl get pod test -o yaml | grep serviceAccount kubectl exec test -- apk add curl kubectl exec test -- curl -L "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" -o /bin/kubectl kubectl exec test -- chmod +x /bin/kubectl kubectl exec test -- kubectl get pods kubectl exec test -- mount | grep secrets kubectl exec test -- ls /run/secrets/kubernetes.io/serviceaccount/ kubectl exec test -- cat /run/secrets/kubernetes.io/serviceaccount/namespace kubectl exec test -- cat /run/secrets/kubernetes.io/serviceaccount/token kubectl exec test -- cat /run/secrets/kubernetes.io/serviceaccount/ca.crt
delete.sh
#!/usr/bin/env bash set -e # namespace=test # kubectl create namespace test kubectl config set-context --current --namespace=test kubectl exec test -- kubectl get pods kubectl delete ClusterRoleBinding test-binding sleep 15 kubectl get pods --field-selector=status.phase=Running kubectl exec test -- kubectl get pods || true kubectl exec test -- mount | grep secrets kubectl exec test -- ls /run/secrets/kubernetes.io/serviceaccount/ kubectl delete clusterrole test-read-only kubectl delete sa test-sa kubectl delete pod test kubectl delete namespace test
Extract creds via command if wanted
s=$(kubectl describe sa test-sa | grep Tokens | awk '{print $2}'); kubectl get secret $s -o "jsonpath={.data['ca\.crt']}" s=$(kubectl describe sa test-sa | grep Tokens | awk '{print $2}'); kubectl get secret $s -o "jsonpath={.data['ca\.crt']}" kubectl exec test -- ls /run/secrets/kubernetes.io/serviceaccount/ kubectl exec test -- cat /run/secrets/kubernetes.io/serviceaccount/namespace kubectl exec test -- cat /run/secrets/kubernetes.io/serviceaccount/token kubectl exec test -- cat /run/secrets/kubernetes.io/serviceaccount/ca.crt
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/