Kubernetes RBAC

From UVOO Tech Wiki
Revision as of 21:35, 22 August 2021 by Busk (talk | contribs)
Jump to navigation Jump to search

https://stackoverflow.com/questions/66296470/accessing-k8s-cluster-with-service-account-token

1

Yes, it is possible. For instance, if you login K8S dashboard via token it does use the same way.

Follow these steps;

Create a service account

$ kubectl -n <your-namespace-optional> create serviceaccount <service-account-name>
A role binding grants the permissions defined in a role to a user or set of users. You can use a predefined role or you can create your own. Check this link for more info. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-example

$ kubectl create clusterrolebinding <binding-name> --clusterrole=cluster-admin --serviceaccount=<namespace>:<service-account-name>
Get the token name

$ TOKENNAME=`kubectl -n <namespace> get serviceaccount/<service-account-name> -o jsonpath='{.secrets[0].name}'`
Finally, get the token and set the credentials

$ kubectl -n <namespace> get secret $TOKENNAME -o jsonpath='{.data.token}'| base64 --decode
$ kubectl config set-credentials <service-account-name> --token=<output from previous command>
$ kubectl config set-context --current --user=<service-account-name>
If you follow these steps carefully your problem will be solved.

https://discuss.kubernetes.io/t/how-to-create-user-in-kubernetes-cluster-and-give-it-access/9101

https://kubernetes.io/docs/reference/access-authn-authz/authentication/

https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html

https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#:~:text=Set%20the%20security%20context%20for%20a%20Pod&text=In%20the%20configuration%20file%2C%20the,run%20with%20user%20ID%201000.&text=Any%20files%20created%20will%20also,3000%20when%20runAsGroup%20is%20specified.

After going through all the above mentioned block, I found below solution

Create user CSR
openssl genrsa -out user1.key 2048
openssl req -new -key user1.key -out user1.csr

Approve CSR
openssl x509 -req -in user1.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out user1.crt -days 500

Create Role or ClusterRole
cat role.yml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1 4
metadata:
namespace: test-namespace
name: user1-role
rules:
- apiGroups: ["", “extensions”, “apps”]
resources: [“deployments”, “pods”, “services”]
verbs: [“get”, “list”, “watch”, “create”, “update”, “patch”, “delete”]

Create RoleBindings
cat binding.yml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1 4
metadata:
name: user1-rolebinding
namespace: test-namespace
subjects:

kind: User
name: user1
apiGroup: “”
roleRef:
kind: Role
name: user1-role
apiGroup: “”
Use it
kubectl config set-credentials user1 --client-certificate=/root/user1.crt --client-key=user1.key

kubectl config set-context user1-context --cluster=kubernetes --namespace=test-namespace --user=user1