Difference between revisions of "Kubernetes RBAC"
Jump to navigation
Jump to search
(11 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | https://releasehub.com/blog/how-to-create-and-configure-your-kubernetes-service-account | ||
+ | |||
+ | # Assigning namespaces permissions to default service account in namepsace test. | ||
+ | |||
+ | Create namespace | ||
+ | ``` | ||
+ | kubectl create namespace test | ||
+ | ``` | ||
+ | |||
+ | ## Look at info | ||
+ | - We will be using cluster-admin role for our binding. | ||
+ | - Notice difference. With admin you will have to assign resources with cluster binding it will have access to entire namespace. | ||
+ | - https://stackoverflow.com/questions/60287556/difference-between-cluster-admin-and-admin-kubernetes-clusterroles | ||
+ | ``` | ||
+ | kubectl get clusterroles -n default cluster-admin -oyaml | ||
+ | kubectl get clusterroles -n default admin -oyaml | ||
+ | ``` | ||
+ | |||
+ | ## View secrets for sa and get secrets | ||
+ | ``` | ||
+ | kubectl -n test get sa | ||
+ | kubectl -n test get secret | ||
+ | kubectl get secrets default-token-9v6lb -o jsonpath='{.data.token}' | base64 --decode # Paste to token in .kube/config file | ||
+ | ``` | ||
+ | |||
+ | ## Create RoleBinding using clusterrole cluster-admin | ||
+ | ``` | ||
+ | kubectl create rolebinding test-sa-default --clusterrole=cluster-admin --serviceaccount=test:default | ||
+ | ``` | ||
+ | |||
+ | ## On our service account shell using kubectl update .kube/config | ||
+ | |||
+ | ~/.kube/config | ||
+ | ``` | ||
+ | ... | ||
+ | |||
+ | users: | ||
+ | - name: admin | ||
+ | user: | ||
+ | token: <token we got from test:default service account above> | ||
+ | ``` | ||
+ | ## Test access on remote service account shell | ||
+ | ``` | ||
+ | kubectl get pods -n test | ||
+ | kubectl get pods -n default | ||
+ | kubectl get sa -n test | ||
+ | kubectl auth can-i get pods | ||
+ | kubectl auth can-i delete deployments | ||
+ | ``` | ||
+ | |||
+ | ## Delete clusterrolebinding and see that you lose access | ||
+ | ``` | ||
+ | kubectl delete clusterrolebinding test-sa-default | ||
+ | kubectl get pods -n test | ||
+ | ``` | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | </br> | ||
+ | </br> | ||
+ | </br> | ||
+ | </br> | ||
+ | </br> | ||
+ | </br> | ||
+ | </br> | ||
+ | </br> | ||
+ | </br> | ||
+ | </br> | ||
+ | NOTES | ||
+ | |||
+ | https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html | ||
+ | |||
+ | # One way | ||
+ | |||
+ | ``` | ||
+ | https://devopscube.com/kubernetes-api-access-service-account/ | ||
+ | |||
+ | cat <<EOF | kubectl apply -f - | ||
+ | apiVersion: v1 | ||
+ | kind: ServiceAccount | ||
+ | metadata: | ||
+ | name: api-service-account | ||
+ | namespace: devops-tools | ||
+ | EOF | ||
+ | |||
+ | |||
+ | cat <<EOF | kubectl apply -f - | ||
+ | --- | ||
+ | apiVersion: rbac.authorization.k8s.io/v1 | ||
+ | kind: ClusterRole | ||
+ | metadata: | ||
+ | name: api-cluster-role | ||
+ | namespace: devops-tools | ||
+ | rules: | ||
+ | - apiGroups: | ||
+ | - "" | ||
+ | - apps | ||
+ | - autoscaling | ||
+ | - batch | ||
+ | - extensions | ||
+ | - policy | ||
+ | - rbac.authorization.k8s.io | ||
+ | resources: | ||
+ | - pods | ||
+ | - componentstatuses | ||
+ | - configmaps | ||
+ | - daemonsets | ||
+ | - deployments | ||
+ | - events | ||
+ | - endpoints | ||
+ | - horizontalpodautoscalers | ||
+ | - ingress | ||
+ | - jobs | ||
+ | - limitranges | ||
+ | - namespaces | ||
+ | - nodes | ||
+ | - pods | ||
+ | - persistentvolumes | ||
+ | - persistentvolumeclaims | ||
+ | - resourcequotas | ||
+ | - replicasets | ||
+ | - replicationcontrollers | ||
+ | - serviceaccounts | ||
+ | - services | ||
+ | verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] | ||
+ | EOF | ||
+ | |||
+ | kubectl api-resources | ||
+ | |||
+ | cat <<EOF | kubectl apply -f - | ||
+ | --- | ||
+ | apiVersion: rbac.authorization.k8s.io/v1 | ||
+ | kind: ClusterRoleBinding | ||
+ | metadata: | ||
+ | name: api-cluster-role-binding | ||
+ | subjects: | ||
+ | - namespace: devops-tools | ||
+ | kind: ServiceAccount | ||
+ | name: api-service-account | ||
+ | roleRef: | ||
+ | apiGroup: rbac.authorization.k8s.io | ||
+ | kind: ClusterRole | ||
+ | name: api-cluster-role | ||
+ | EOF | ||
+ | |||
+ | kubectl auth can-i get pods --as=system:serviceaccount:devops-tools:api-service-account | ||
+ | |||
+ | kubectl auth can-i delete deployments --as=system:serviceaccount:devops-tools:api-service-account | ||
+ | |||
+ | kubectl get serviceaccount api-service-account -o=jsonpath='{.secrets[0].name}' -n devops-tools | ||
+ | |||
+ | kubectl get secrets <service-account-token-name> -o=jsonpath='{.data.token}' -n devops-tools | base64 -D | ||
+ | |||
+ | kubectl get endpoints | grep kubernetes | ||
+ | |||
+ | curl -k https://35.226.193.217/api/v1/namespaces -H "Authorization: Bearer <token>" | ||
+ | ``` | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | # Way Number | ||
+ | ``` | ||
+ | 1️⃣ Create Namespace | ||
+ | kubectl create namespace mynamespace | ||
+ | 2️⃣ Create Service Account with permissions | ||
+ | Open a new file. Let’s call it access.yaml. We’re going to create the user (service account), a role, and attach that role to that user. | ||
+ | |||
+ | --- | ||
+ | apiVersion: v1 | ||
+ | kind: ServiceAccount | ||
+ | metadata: | ||
+ | name: mynamespace-user | ||
+ | namespace: mynamespace | ||
+ | |||
+ | --- | ||
+ | kind: Role | ||
+ | apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
+ | metadata: | ||
+ | name: mynamespace-user-full-access | ||
+ | namespace: mynamespace | ||
+ | rules: | ||
+ | - apiGroups: ["", "extensions", "apps"] | ||
+ | resources: ["*"] | ||
+ | verbs: ["*"] | ||
+ | - apiGroups: ["batch"] | ||
+ | resources: | ||
+ | - jobs | ||
+ | - cronjobs | ||
+ | verbs: ["*"] | ||
+ | |||
+ | --- | ||
+ | kind: RoleBinding | ||
+ | apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
+ | metadata: | ||
+ | name: mynamespace-user-view | ||
+ | namespace: mynamespace | ||
+ | subjects: | ||
+ | - kind: ServiceAccount | ||
+ | name: mynamespace-user | ||
+ | namespace: mynamespace | ||
+ | roleRef: | ||
+ | apiGroup: rbac.authorization.k8s.io | ||
+ | kind: Role | ||
+ | name: mynamespace-user-full-access | ||
+ | As you can see, in the Role definition, we add full access to everything in that namespace, including batch types like jobs or cronjobs. As it is a Role, and not a ClusterRole, it is going to be applied to a single namespace: mynamespace. For more details about roles in Kubernetes, check out the official documentation. | ||
+ | |||
+ | Now, let’s create all of this: | ||
+ | |||
+ | kubectl create -f access.yaml | ||
+ | You should see the three components being created. | ||
+ | |||
+ | 3️⃣ Get Secrets | ||
+ | The first thing we need to do now is to get the name of the service account’s secret. Run the following command and copy the name of the secret. | ||
+ | |||
+ | kubectl describe sa mynamespace-user -n mynamespace | ||
+ | For this tutorial, let’s say that the secret is named mynamespace-user-token-xxxxx. | ||
+ | |||
+ | We now need to get the service account’s Token and the Certificate Authority. For this, we are going to read them using kubectl. Now, as Kubernetes secrets are base64 encoded, we’ll also need to decode them. | ||
+ | |||
+ | Here’s how you get the User Token: | ||
+ | |||
+ | kubectl get secret mynamespace-user-token-xxxxx -n mynamespace -o "jsonpath={.data.token}" | base64 -D | ||
+ | And here’s how you get the Certificate: | ||
+ | |||
+ | kubectl get secret mynamespace-user-token-xxxxx -n mynamespace -o "jsonpath={.data['ca\.crt']}" | ||
+ | 4️⃣ Create Kube config | ||
+ | We now have everything we need. The only thing remaining is creating the Kube config file, with the data we previously gathered: | ||
+ | |||
+ | apiVersion: v1 | ||
+ | kind: Config | ||
+ | preferences: {} | ||
+ | |||
+ | # Define the cluster | ||
+ | clusters: | ||
+ | - cluster: | ||
+ | certificate-authority-data: PLACE CERTIFICATE HERE | ||
+ | # You'll need the API endpoint of your Cluster here: | ||
+ | server: https://YOUR_KUBERNETES_API_ENDPOINT | ||
+ | name: my-cluster | ||
+ | |||
+ | # Define the user | ||
+ | users: | ||
+ | - name: mynamespace-user | ||
+ | user: | ||
+ | as-user-extra: {} | ||
+ | client-key-data: PLACE CERTIFICATE HERE | ||
+ | token: PLACE USER TOKEN HERE | ||
+ | |||
+ | # Define the context: linking a user to a cluster | ||
+ | contexts: | ||
+ | - context: | ||
+ | cluster: my-cluster | ||
+ | namespace: mynamespace | ||
+ | user: mynamespace-user | ||
+ | name: mynamespace | ||
+ | |||
+ | # Define current context | ||
+ | current-context: mynamespace | ||
+ | ``` | ||
+ | |||
+ | # Way Number 2 | ||
+ | https://stackoverflow.com/questions/66296470/accessing-k8s-cluster-with-service-account-token | ||
+ | ``` | ||
+ | 1 | ||
+ | |||
+ | Yes, it is possible. For instance, if you login K8S dashboard via token it does use the same way. | ||
+ | |||
+ | Follow these steps; | ||
+ | |||
+ | Create a service account | ||
+ | |||
+ | $ kubectl -n <your-namespace-optional> create serviceaccount <service-account-name> | ||
+ | A role binding grants the permissions defined in a role to a user or set of users. You can use a predefined role or you can create your own. Check this link for more info. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-example | ||
+ | |||
+ | $ kubectl create clusterrolebinding <binding-name> --clusterrole=cluster-admin --serviceaccount=<namespace>:<service-account-name> | ||
+ | Get the token name | ||
+ | |||
+ | $ TOKENNAME=`kubectl -n <namespace> get serviceaccount/<service-account-name> -o jsonpath='{.secrets[0].name}'` | ||
+ | Finally, get the token and set the credentials | ||
+ | |||
+ | $ kubectl -n <namespace> get secret $TOKENNAME -o jsonpath='{.data.token}'| base64 --decode | ||
+ | $ kubectl config set-credentials <service-account-name> --token=<output from previous command> | ||
+ | $ kubectl config set-context --current --user=<service-account-name> | ||
+ | If you follow these steps carefully your problem will be solved. | ||
+ | ``` | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | https://discuss.kubernetes.io/t/how-to-create-user-in-kubernetes-cluster-and-give-it-access/9101 | ||
+ | |||
+ | https://kubernetes.io/docs/reference/access-authn-authz/authentication/ | ||
+ | |||
https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html | https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html | ||
Line 6: | Line 303: | ||
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#:~:text=Set%20the%20security%20context%20for%20a%20Pod&text=In%20the%20configuration%20file%2C%20the,run%20with%20user%20ID%201000.&text=Any%20files%20created%20will%20also,3000%20when%20runAsGroup%20is%20specified. | https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#:~:text=Set%20the%20security%20context%20for%20a%20Pod&text=In%20the%20configuration%20file%2C%20the,run%20with%20user%20ID%201000.&text=Any%20files%20created%20will%20also,3000%20when%20runAsGroup%20is%20specified. | ||
+ | |||
+ | |||
+ | ``` | ||
+ | After going through all the above mentioned block, I found below solution | ||
+ | |||
+ | Create user CSR | ||
+ | openssl genrsa -out user1.key 2048 | ||
+ | openssl req -new -key user1.key -out user1.csr | ||
+ | |||
+ | Approve CSR | ||
+ | openssl x509 -req -in user1.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out user1.crt -days 500 | ||
+ | |||
+ | Create Role or ClusterRole | ||
+ | cat role.yml | ||
+ | kind: Role | ||
+ | apiVersion: rbac.authorization.k8s.io/v1beta1 4 | ||
+ | metadata: | ||
+ | namespace: test-namespace | ||
+ | name: user1-role | ||
+ | rules: | ||
+ | - apiGroups: ["", “extensions”, “apps”] | ||
+ | resources: [“deployments”, “pods”, “services”] | ||
+ | verbs: [“get”, “list”, “watch”, “create”, “update”, “patch”, “delete”] | ||
+ | |||
+ | Create RoleBindings | ||
+ | cat binding.yml | ||
+ | kind: RoleBinding | ||
+ | apiVersion: rbac.authorization.k8s.io/v1beta1 4 | ||
+ | metadata: | ||
+ | name: user1-rolebinding | ||
+ | namespace: test-namespace | ||
+ | subjects: | ||
+ | |||
+ | kind: User | ||
+ | name: user1 | ||
+ | apiGroup: “” | ||
+ | roleRef: | ||
+ | kind: Role | ||
+ | name: user1-role | ||
+ | apiGroup: “” | ||
+ | Use it | ||
+ | kubectl config set-credentials user1 --client-certificate=/root/user1.crt --client-key=user1.key | ||
+ | |||
+ | kubectl config set-context user1-context --cluster=kubernetes --namespace=test-namespace --user=user1 | ||
+ | ``` |
Latest revision as of 06:54, 22 November 2022
https://releasehub.com/blog/how-to-create-and-configure-your-kubernetes-service-account
Assigning namespaces permissions to default service account in namepsace test.
Create namespace
kubectl create namespace test
Look at info
- We will be using cluster-admin role for our binding.
- Notice difference. With admin you will have to assign resources with cluster binding it will have access to entire namespace.
- https://stackoverflow.com/questions/60287556/difference-between-cluster-admin-and-admin-kubernetes-clusterroles
kubectl get clusterroles -n default cluster-admin -oyaml kubectl get clusterroles -n default admin -oyaml
View secrets for sa and get secrets
kubectl -n test get sa kubectl -n test get secret kubectl get secrets default-token-9v6lb -o jsonpath='{.data.token}' | base64 --decode # Paste to token in .kube/config file
Create RoleBinding using clusterrole cluster-admin
kubectl create rolebinding test-sa-default --clusterrole=cluster-admin --serviceaccount=test:default
On our service account shell using kubectl update .kube/config
~/.kube/config
... users: - name: admin user: token: <token we got from test:default service account above>
Test access on remote service account shell
kubectl get pods -n test kubectl get pods -n default kubectl get sa -n test kubectl auth can-i get pods kubectl auth can-i delete deployments
Delete clusterrolebinding and see that you lose access
kubectl delete clusterrolebinding test-sa-default kubectl get pods -n test
NOTES
https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html
One way
https://devopscube.com/kubernetes-api-access-service-account/ cat <<EOF | kubectl apply -f - apiVersion: v1 kind: ServiceAccount metadata: name: api-service-account namespace: devops-tools EOF cat <<EOF | kubectl apply -f - --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: api-cluster-role namespace: devops-tools rules: - apiGroups: - "" - apps - autoscaling - batch - extensions - policy - rbac.authorization.k8s.io resources: - pods - componentstatuses - configmaps - daemonsets - deployments - events - endpoints - horizontalpodautoscalers - ingress - jobs - limitranges - namespaces - nodes - pods - persistentvolumes - persistentvolumeclaims - resourcequotas - replicasets - replicationcontrollers - serviceaccounts - services verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] EOF kubectl api-resources cat <<EOF | kubectl apply -f - --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: api-cluster-role-binding subjects: - namespace: devops-tools kind: ServiceAccount name: api-service-account roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: api-cluster-role EOF kubectl auth can-i get pods --as=system:serviceaccount:devops-tools:api-service-account kubectl auth can-i delete deployments --as=system:serviceaccount:devops-tools:api-service-account kubectl get serviceaccount api-service-account -o=jsonpath='{.secrets[0].name}' -n devops-tools kubectl get secrets <service-account-token-name> -o=jsonpath='{.data.token}' -n devops-tools | base64 -D kubectl get endpoints | grep kubernetes curl -k https://35.226.193.217/api/v1/namespaces -H "Authorization: Bearer <token>"
Way Number
1️⃣ Create Namespace kubectl create namespace mynamespace 2️⃣ Create Service Account with permissions Open a new file. Let’s call it access.yaml. We’re going to create the user (service account), a role, and attach that role to that user. --- apiVersion: v1 kind: ServiceAccount metadata: name: mynamespace-user namespace: mynamespace --- kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: mynamespace-user-full-access namespace: mynamespace rules: - apiGroups: ["", "extensions", "apps"] resources: ["*"] verbs: ["*"] - apiGroups: ["batch"] resources: - jobs - cronjobs verbs: ["*"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: mynamespace-user-view namespace: mynamespace subjects: - kind: ServiceAccount name: mynamespace-user namespace: mynamespace roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: mynamespace-user-full-access As you can see, in the Role definition, we add full access to everything in that namespace, including batch types like jobs or cronjobs. As it is a Role, and not a ClusterRole, it is going to be applied to a single namespace: mynamespace. For more details about roles in Kubernetes, check out the official documentation. Now, let’s create all of this: kubectl create -f access.yaml You should see the three components being created. 3️⃣ Get Secrets The first thing we need to do now is to get the name of the service account’s secret. Run the following command and copy the name of the secret. kubectl describe sa mynamespace-user -n mynamespace For this tutorial, let’s say that the secret is named mynamespace-user-token-xxxxx. We now need to get the service account’s Token and the Certificate Authority. For this, we are going to read them using kubectl. Now, as Kubernetes secrets are base64 encoded, we’ll also need to decode them. Here’s how you get the User Token: kubectl get secret mynamespace-user-token-xxxxx -n mynamespace -o "jsonpath={.data.token}" | base64 -D And here’s how you get the Certificate: kubectl get secret mynamespace-user-token-xxxxx -n mynamespace -o "jsonpath={.data['ca\.crt']}" 4️⃣ Create Kube config We now have everything we need. The only thing remaining is creating the Kube config file, with the data we previously gathered: apiVersion: v1 kind: Config preferences: {} # Define the cluster clusters: - cluster: certificate-authority-data: PLACE CERTIFICATE HERE # You'll need the API endpoint of your Cluster here: server: https://YOUR_KUBERNETES_API_ENDPOINT name: my-cluster # Define the user users: - name: mynamespace-user user: as-user-extra: {} client-key-data: PLACE CERTIFICATE HERE token: PLACE USER TOKEN HERE # Define the context: linking a user to a cluster contexts: - context: cluster: my-cluster namespace: mynamespace user: mynamespace-user name: mynamespace # Define current context current-context: mynamespace
Way Number 2
https://stackoverflow.com/questions/66296470/accessing-k8s-cluster-with-service-account-token
1 Yes, it is possible. For instance, if you login K8S dashboard via token it does use the same way. Follow these steps; Create a service account $ kubectl -n <your-namespace-optional> create serviceaccount <service-account-name> A role binding grants the permissions defined in a role to a user or set of users. You can use a predefined role or you can create your own. Check this link for more info. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-example $ kubectl create clusterrolebinding <binding-name> --clusterrole=cluster-admin --serviceaccount=<namespace>:<service-account-name> Get the token name $ TOKENNAME=`kubectl -n <namespace> get serviceaccount/<service-account-name> -o jsonpath='{.secrets[0].name}'` Finally, get the token and set the credentials $ kubectl -n <namespace> get secret $TOKENNAME -o jsonpath='{.data.token}'| base64 --decode $ kubectl config set-credentials <service-account-name> --token=<output from previous command> $ kubectl config set-context --current --user=<service-account-name> If you follow these steps carefully your problem will be solved.
https://discuss.kubernetes.io/t/how-to-create-user-in-kubernetes-cluster-and-give-it-access/9101
https://kubernetes.io/docs/reference/access-authn-authz/authentication/
https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html
https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html
After going through all the above mentioned block, I found below solution Create user CSR openssl genrsa -out user1.key 2048 openssl req -new -key user1.key -out user1.csr Approve CSR openssl x509 -req -in user1.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out user1.crt -days 500 Create Role or ClusterRole cat role.yml kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 4 metadata: namespace: test-namespace name: user1-role rules: - apiGroups: ["", “extensions”, “apps”] resources: [“deployments”, “pods”, “services”] verbs: [“get”, “list”, “watch”, “create”, “update”, “patch”, “delete”] Create RoleBindings cat binding.yml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 4 metadata: name: user1-rolebinding namespace: test-namespace subjects: kind: User name: user1 apiGroup: “” roleRef: kind: Role name: user1-role apiGroup: “” Use it kubectl config set-credentials user1 --client-certificate=/root/user1.crt --client-key=user1.key kubectl config set-context user1-context --cluster=kubernetes --namespace=test-namespace --user=user1