Kubernetes workshop: Manage permissions in Kubernetes

Ogenki

Self-hosted LLM stack: a solid foundation for an open-weight platform built to evolve A few months with `Claude Code`: tips and workflows that helped me `Agentic Coding`: concepts and hands-on Platform Engineering use cases `PostgreSQL`: From Metrics to Query Plan Analysis `VictoriaLogs`: What if logs management became simple and performant? `VictoriaMetrics` : Effective alerts, from theory to practice 🛠️ Harness the Power of `VictoriaMetrics` and `Grafana` Operators for Metrics Management `Dagger`: The missing piece of the developer experience? `TLS` with Gateway API: Efficient and Secure Management of Public and Private Certificates Going Further with `Crossplane`: Compositions and Functions Beyond Traditional VPNs: Simplifying Cloud Access with `Tailscale` `Gateway API`: Can I replace my Ingress Controller with `Cilium`? Applying GitOps Principles to Infrastructure: An overview of `tf-controller` `CloudNativePG`: An easy way to run PostgreSQL on Kubernetes 100% `GitOps` using Flux My Kubernetes cluster (GKE) with `Crossplane` Manage tools versions with `asdf` Helm workshop: Templating exercises Helm workshop: Build your first chart Helm workshop: Lifecycle operations Helm workshop: Ecosystem Helm workshop: Third party charts Helm workshop Kubernetes workshop: Troubleshooting Kubernetes workshop: Resources allocation and autoscaling Kubernetes workshop: Complete application stack Kubernetes workshop: Local environment Run an application on Kubernetes Kubernetes workshop

2021-05-08 · via Ogenki

RBAC is the method used by Kubernetes to authorize access to API resources.

ℹ️ When it makes sense you can use the default roles that are available in all Kubernetes installation instead of having to maintain custom ones.

For this lab what we want to achieve is to give permissions the following permissions to an application myapp:

read the configmaps in the namespace foo
List the pods in all the namespaces

It is a good practice to configure your pod to make use of a serviceaccount. A serviceaccount are used to identify applications and give them permissions if necessary.

Create a service account

1kubectl create serviceaccount myapp
2serviceaccount/myapp created

When a service account is created, a token is automatically generated and stored in a secret.

1kubectl describe sa myapp | grep -i token
2Mountable secrets:   myapp-token-bz2zq
3Tokens:              myapp-token-bz2zq
4
5kubectl get secret myapp-token-bz2zq --template={{.data.token}} | base64 -d
6eyJhb...EYxhjI_ckZ74A

Using a tool to decode the JWT token you should see the following content

 1kubectl get secret myapp-token-bz2zq --template={{.data.token}} | base64 -d | jwt decode -
 2
 3Token header
 4------------
 5{
 6  "alg": "RS256",
 7  "kid": "IdsXYO6E93xozgJg-LY2oETTPEHBJjydTU4vF2wy-wg"
 8}
 9
10Token claims
11------------
12{
13  "iss": "kubernetes/serviceaccount",
14  "kubernetes.io/serviceaccount/namespace": "foo",
15  "kubernetes.io/serviceaccount/secret.name": "myapp-token-bz2zq",
16  "kubernetes.io/serviceaccount/service-account.name": "myapp",
17  "kubernetes.io/serviceaccount/service-account.uid": "eb606bdc-b713-4b7c-8da8-c4f71075995e",
18  "sub": "system:serviceaccount:foo:myapp"
19}

We're going to create a deployment that will be configured to used this serviceaccount. In the yaml you'll notice that we defined the serviceAccountName.

1kubectl apply -f content/resources/kubernetes_workshop/rbac/deployment.yaml
2deployment.apps/myapp created

As we didn't assigned any permissions to this serviceaccount, our application won't be able to call any of the API endpoints

 1POD_NAME=$(kubectl get po -l app=myapp -o jsonpath='{.items[0].metadata.name}')
 2
 3kubectl exec ${POD_NAME} -- kubectl auth can-i -n foo --list
 4Resources                                       Non-Resource URLs                     Resource Names   Verbs
 5selfsubjectaccessreviews.authorization.k8s.io   []                                    []               [create]
 6selfsubjectrulesreviews.authorization.k8s.io    []                                    []               [create]
 7                                                [/.well-known/openid-configuration]   []               [get]
 8                                                [/api/*]                              []               [get]
 9                                                [/api]                                []               [get]
10                                                [/apis/*]                             []               [get]
11                                                [/apis]                               []               [get]
12                                                [/healthz]                            []               [get]
13                                                [/healthz]                            []               [get]
14                                                [/livez]                              []               [get]
15                                                [/livez]                              []               [get]
16                                                [/openapi/*]                          []               [get]
17                                                [/openapi]                            []               [get]
18                                                [/openid/v1/jwks]                     []               [get]
19                                                [/readyz]                             []               [get]
20                                                [/readyz]                             []               [get]
21                                                [/version/]                           []               [get]
22                                                [/version/]                           []               [get]
23                                                [/version]                            []               [get]
24                                                [/version]                            []               [get]

In order to allow it to read configmaps in the namespace foo, we're going to create 2 resources:

A role which will describe the permissions and which is bounded to a namespace
A rolebinding to assign this role to our application (serviceaccount)

Create the role

1kubectl apply -f content/resources/kubernetes_workshop/rbac/role.yaml
2role.rbac.authorization.k8s.io/read-configmaps created

And assign it to the serviceaccount we've created previously

1kubectl create rolebinding -n foo myapp-configmap --serviceaccount=foo:myapp --role=read-configmaps
2rolebinding.rbac.authorization.k8s.io/myapp-configmap created

Note that in the above command the serviceaccount must be specified with the namespace as a prefix and separated by a semicolon.

You don't have to restart the pod to get the permissions enabled.

1kubectl exec ${POD_NAME} -- kubectl auth can-i get configmaps -n foo
2yes
3
4kubectl exec ${POD_NAME} -- kubectl get cm
5NAME               DATA   AGE
6kube-root-ca.crt   1      3d20h
7helloworld         2      2d2h

This is possible thanks to the token mounted within the container

 1kubectl exec -ti ${POD_NAME} -- bash -c 'curl -skH "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default/api/v1/namespaces/foo/configmaps'
 2{
 3  "kind": "ConfigMapList",
 4  "apiVersion": "v1",
 5  "metadata": {
 6    "resourceVersion": "76334"
 7  },
 8  "items": [
 9    {
10      "metadata": {
11        "name": "kube-root-ca.crt",
12        "namespace": "foo",
13        "uid": "c352e4cd-3b88-4400-80a0-cbba318794e4",
14...

Finally we want to list the pods in all the namespaces of our cluster. we need:

A clusterrole which will describe the permissions that are cluster wide.
A clusterrolebinding to assign this clusterrole to our application (serviceaccount)

1$ kubectl apply -f content/resources/kubernetes_workshop/rbac/clusterrole.yaml
2clusterrole.rbac.authorization.k8s.io/list-pods created

1kubectl create clusterrolebinding -n foo myapp-pods --serviceaccount=foo:myapp --clusterrole=list-pods
2clusterrolebinding.rbac.authorization.k8s.io/myapp-pods created

Now lets have a look to the permissions our applications has in the namespace foo

 1kubectl exec ${POD_NAME} -- kubectl auth can-i -n foo --list
 2Resources                                       Non-Resource URLs                     Resource Names   Verbs
 3selfsubjectaccessreviews.authorization.k8s.io   []                                    []               [create]
 4selfsubjectrulesreviews.authorization.k8s.io    []                                    []               [create]
 5pods                                            []                                    []               [get list]
 6configmaps                                      []                                    []               [get watch list]
 7                                                [/.well-known/openid-configuration]   []               [get]
 8                                                [/api/*]                              []               [get]
 9                                                [/api]                                []               [get]
10                                                [/apis/*]                             []               [get]
11...

此内容由惯性聚合(RSS阅读器)自动聚合整理，仅供阅读参考。原文来自 — 版权归原作者所有。

推荐订阅源

Ogenki