Kubernetes Roles and Users (RBAC For k8s)

RBAC

When you’re assigning permissions to specific users or service accounts, you’re typically assigning some sort of role. The roles typically look something like:

  • readonly
  • readwrite
  • write
  • admin
  • owner

Creating a User for Kubernetes

With a lot of cloud Kubernetes services today, you don’t have to worry too much about creating users for Kubernetes in the standard way (like you’ll see below). For example, if you have an Azure Kubernetes Service (AKS) cluster, the users can be managed via:

  • RBAC from the Azure portal
  • AKS-managed Azure Active Directory (AS)
useradd minkube && cd /home/minkube
openssl req -new -key minikube.key \\
-out minikube.csr \\
-subj "/CN=minikube"
openssl x509 -req -in minikube.csr \\
-CA /etc/kubernetes/pki/ca.crt \\
-CAkey /etc/kubernetes/pki/ca.key \\
-CAcreateserial \\
-out minikube.crt -days 500
mkdir .certs && mv minikube.crt minikube.key .certs
kubectl config set-credentials minikube \\
--client-certificate=/home/minikube/.certs/minikube.crt \\
--client-key=/home/minikube/.certs/minikube.key
kubectl config set-context minikube-context \\
--cluster=kubernetes --user=minikube

Kubeconfig (Authentication)

Typically under a users home directory will live a hidden directory called .kube. Within the .kube directory is where you’ll find a file called config. That’s the Kubernetes configuration or Kubeconfig as the cool kids like to call it for short. Your Kubeconfig is how your system tells a Kubernetes cluster Hey! I have access to you and a few of your resources. Let me in!

cd ~/.kube
cat config
  • Clusters
  • Contexts
  • Users
  • Current Context
apiVersion: v1
clusters:
- cluster:
certificate-authority: /Users/michael/.minikube/ca.crt
extensions:
- extension:
last-update: Tue, 12 Apr 2022 15:23:37 EDT
provider: minikube.sigs.k8s.io
version: v1.25.1
name: cluster_info
server: <https://127.0.0.1:57578>
name: minikube
contexts:
- context:
cluster: minikube
extensions:
- extension:
last-update: Tue, 12 Apr 2022 15:23:37 EDT
provider: minikube.sigs.k8s.io
version: v1.25.1
name: context_info
namespace: default
user: minikube
name: minikube
current-context: minikube
kind: Config
preferences: {}
users:
- name: minikube
user:
client-certificate: /Users/michael/.minikube/profiles/minikube/client.crt
client-key: /Users/michael/.minikube/profiles/minikube/client.key
user: minikube

Roles (Authorization)

In the previous section, you learned about what a Kubeconfig is, and a Kubeconfig is your authentication method. It’s what allows you to connect to a Kubernetes cluster. In this section, you’ll learn about Roles, which is authorization. Authorization tells Kubernetes Hey, this user is in the cluster. Here’s what they can actually do while in the cluster.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: minikube
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io

Wrapping Up

There are a bunch of great safeguards in place out of the box when it comes to Kubernetes user security. In fact, Kubernetes doesn’t even have its own user database, so it essentially allows you to figure out what you want to use. For an on-prem k8s cluster, you might use a scenario as we did in the Creating a User for Kubernetes section. If you’re using a cloud Kubernetes service like Azure Kubernetes Service (AKS), you might utilize something like Azure Active Directory.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Michael Levan

Michael Levan

Leader in Kubernetes consulting, research, and content creation ┇AWS Community Builder (Dev Tools Category)┇ HashiCorp Ambassador