RBAC in Kubernetes
RBAC stands for Role Based Access Control
Under core api groups we have all objects: pods, deployments, Services, ReplicaSets, Statefulsets, jobs
Role: A role can be used to grant access to resources in a namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer
namespace: dev
rules:
- apiGroups: ["","Extensions", "apps"] # "" indicates the core API group
resources: ["*"]
verbs: ["get", "list", "create", "delete", "watch"]
- apiGroups: ["batch"]
resources:
- job
- cronjobs
verbs: ["*"]
RoleBinding: A RoleBinding binds subjects[users, groups] with the roles.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metedata:
name: dev-user-rolebinding
namespace: dev
subjects:
kind: user
name: dev
apiGroup: rbac.authorization.k8s.io/v1
roleRef:
kind: role
name: developer
apiGroup: rbac.authorization.k8s.io/v1
imperative command to create Roles and RoleBindings
kubectl create role developer --namespace=default --verb=list,create,delete --resource=pods
kubectl create rolebinding dev-user-rolebinding --namespace=default --role=developer --user=dev-user
kubectl auth can-i list nodes --as dev # to check access
clusterrole & clusterrolebinding :
# create cluster role
kubectl create clusterrole abi-clustaer-role \
--namespace=dev --verb=list --resource=persistentvolumes
# create cluster rolebinding with a user
kubectl create rolebinding abi-cluster-rolebinding \
--namespace= dev --clusterrole=abi-cluster-role --user=dev-user
# create cluster rolebinding with a service account
kubectl create rolebinding abi-cluster-rolebinding \
--namespace= dev --clusterrole=abi-cluster-role --serviceaccount-abi-serv-acnt