Difference between revisions of "Kubernetes RBAC"

From UVOO Tech Wiki
Jump to navigation Jump to search
Line 57: Line 57:
  
  
 
 
 
 
############## NOTES ##################
 
 
</br>
 
</br>
 
</br>
 
</br>
Line 72: Line 67:
 
</br>
 
</br>
 
</br>
 
</br>
 
+
NOTES
  
 
https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html
 
https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html

Revision as of 23:31, 22 August 2021

Assigning namespaces permissions to default service account in namepsace test.

Create namespace

kubectl create namespace test

Look at info

kubectl get clusterroles -n default cluster-admin -oyaml
kubectl get clusterroles -n default admin -oyaml

View secrets for sa and get secrets

kubectl -n test get sa
kubectl -n test get secret
kubectl get secrets default-token-9v6lb -o jsonpath='{.data.token}' | base64 --decode  # Paste to token in .kube/config file

Create RoleBinding using clusterrole cluster-admin

kubectl create rolebinding test-sa-default --clusterrole=cluster-admin --serviceaccount=test:default

On our service account shell using kubectl update .kube/config

~/.kube/config

...

users:
- name: admin
  user:
    token: <token we got from test:default service account above>

Test access on remote service account shell

kubectl get pods -n test
kubectl get pods -n default
kubectl get sa -n test
kubectl auth can-i get pods
kubectl auth can-i delete deployments

Delete clusterrolebinding and see that you lose access

kubectl delete clusterrolebinding test-sa-default
kubectl get pods -n test











NOTES

https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html

One way

https://devopscube.com/kubernetes-api-access-service-account/

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: api-service-account
  namespace: devops-tools
EOF


cat <<EOF | kubectl apply -f -
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: api-cluster-role
  namespace: devops-tools
rules:
  - apiGroups:
        - ""
        - apps
        - autoscaling
        - batch
        - extensions
        - policy
        - rbac.authorization.k8s.io
    resources:
      - pods
      - componentstatuses
      - configmaps
      - daemonsets
      - deployments
      - events
      - endpoints
      - horizontalpodautoscalers
      - ingress
      - jobs
      - limitranges
      - namespaces
      - nodes
      - pods
      - persistentvolumes
      - persistentvolumeclaims
      - resourcequotas
      - replicasets
      - replicationcontrollers
      - serviceaccounts
      - services
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
EOF

kubectl api-resources

cat <<EOF | kubectl apply -f -
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: api-cluster-role-binding
subjects:
- namespace: devops-tools 
  kind: ServiceAccount
  name: api-service-account 
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: api-cluster-role 
EOF

kubectl auth can-i get pods --as=system:serviceaccount:devops-tools:api-service-account

kubectl auth can-i delete deployments --as=system:serviceaccount:devops-tools:api-service-account

kubectl get serviceaccount api-service-account  -o=jsonpath='{.secrets[0].name}' -n devops-tools

kubectl get secrets  <service-account-token-name>  -o=jsonpath='{.data.token}' -n devops-tools | base64 -D

kubectl get endpoints | grep kubernetes

curl -k  https://35.226.193.217/api/v1/namespaces -H "Authorization: Bearer <token>"

Way Number

1️⃣ Create Namespace
kubectl create namespace mynamespace
2️⃣ Create Service Account with permissions
Open a new file. Let’s call it access.yaml. We’re going to create the user (service account), a role, and attach that role to that user.

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: mynamespace-user
  namespace: mynamespace

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: mynamespace-user-full-access
  namespace: mynamespace
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]
- apiGroups: ["batch"]
  resources:
  - jobs
  - cronjobs
  verbs: ["*"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: mynamespace-user-view
  namespace: mynamespace
subjects:
- kind: ServiceAccount
  name: mynamespace-user
  namespace: mynamespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: mynamespace-user-full-access
As you can see, in the Role definition, we add full access to everything in that namespace, including batch types like jobs or cronjobs. As it is a Role, and not a ClusterRole, it is going to be applied to a single namespace: mynamespace. For more details about roles in Kubernetes, check out the official documentation.

Now, let’s create all of this:

kubectl create -f access.yaml
You should see the three components being created.

3️⃣ Get Secrets
The first thing we need to do now is to get the name of the service account’s secret. Run the following command and copy the name of the secret.

kubectl describe sa mynamespace-user -n mynamespace
For this tutorial, let’s say that the secret is named mynamespace-user-token-xxxxx.

We now need to get the service account’s Token and the Certificate Authority. For this, we are going to read them using kubectl. Now, as Kubernetes secrets are base64 encoded, we’ll also need to decode them.

Here’s how you get the User Token:

kubectl get secret mynamespace-user-token-xxxxx -n mynamespace -o "jsonpath={.data.token}" | base64 -D
And here’s how you get the Certificate:

kubectl get secret mynamespace-user-token-xxxxx -n mynamespace -o "jsonpath={.data['ca\.crt']}"
4️⃣ Create Kube config
We now have everything we need. The only thing remaining is creating the Kube config file, with the data we previously gathered:

apiVersion: v1
kind: Config
preferences: {}

# Define the cluster
clusters:
- cluster:
    certificate-authority-data: PLACE CERTIFICATE HERE
    # You'll need the API endpoint of your Cluster here:
    server: https://YOUR_KUBERNETES_API_ENDPOINT
  name: my-cluster

# Define the user
users:
- name: mynamespace-user
  user:
    as-user-extra: {}
    client-key-data: PLACE CERTIFICATE HERE
    token: PLACE USER TOKEN HERE

# Define the context: linking a user to a cluster
contexts:
- context:
    cluster: my-cluster
    namespace: mynamespace
    user: mynamespace-user
  name: mynamespace

# Define current context
current-context: mynamespace

Way Number 2

https://stackoverflow.com/questions/66296470/accessing-k8s-cluster-with-service-account-token

1

Yes, it is possible. For instance, if you login K8S dashboard via token it does use the same way.

Follow these steps;

Create a service account

$ kubectl -n <your-namespace-optional> create serviceaccount <service-account-name>
A role binding grants the permissions defined in a role to a user or set of users. You can use a predefined role or you can create your own. Check this link for more info. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-example

$ kubectl create clusterrolebinding <binding-name> --clusterrole=cluster-admin --serviceaccount=<namespace>:<service-account-name>
Get the token name

$ TOKENNAME=`kubectl -n <namespace> get serviceaccount/<service-account-name> -o jsonpath='{.secrets[0].name}'`
Finally, get the token and set the credentials

$ kubectl -n <namespace> get secret $TOKENNAME -o jsonpath='{.data.token}'| base64 --decode
$ kubectl config set-credentials <service-account-name> --token=<output from previous command>
$ kubectl config set-context --current --user=<service-account-name>
If you follow these steps carefully your problem will be solved.

https://discuss.kubernetes.io/t/how-to-create-user-in-kubernetes-cluster-and-give-it-access/9101

https://kubernetes.io/docs/reference/access-authn-authz/authentication/

https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html

https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#:~:text=Set%20the%20security%20context%20for%20a%20Pod&text=In%20the%20configuration%20file%2C%20the,run%20with%20user%20ID%201000.&text=Any%20files%20created%20will%20also,3000%20when%20runAsGroup%20is%20specified.

After going through all the above mentioned block, I found below solution

Create user CSR
openssl genrsa -out user1.key 2048
openssl req -new -key user1.key -out user1.csr

Approve CSR
openssl x509 -req -in user1.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out user1.crt -days 500

Create Role or ClusterRole
cat role.yml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1 4
metadata:
namespace: test-namespace
name: user1-role
rules:
- apiGroups: ["", “extensions”, “apps”]
resources: [“deployments”, “pods”, “services”]
verbs: [“get”, “list”, “watch”, “create”, “update”, “patch”, “delete”]

Create RoleBindings
cat binding.yml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1 4
metadata:
name: user1-rolebinding
namespace: test-namespace
subjects:

kind: User
name: user1
apiGroup: “”
roleRef:
kind: Role
name: user1-role
apiGroup: “”
Use it
kubectl config set-credentials user1 --client-certificate=/root/user1.crt --client-key=user1.key

kubectl config set-context user1-context --cluster=kubernetes --namespace=test-namespace --user=user1