What Do You Need to Know About RBAC Authorization in Kubernetes?
RBAC is one of the Authorization Modules in Kubernetes. Role-based access control is a method to provide access to the API resources running on your cluster based on the roles of individual users within an enterprise.
If you want to provide restricted access to a team member to work only in particular namespace in Kubernetes cluster, then we need to create authentication and role-based access control (RBAC) for the user.
For example, if you want an individual user can perform a specific task, such as view, create, or modify a file, RBAC authentication is used.
RBAC permissions can apply to the entire cluster, or to the specific namespaces within the cluster. You can read more about namespaces from here.
User → Role → Permission
To define the RBAC permissions you need to create an object from the rbac.authorization.k8s.io API group in your cluster.
RBAC is enabled by default if you are running a Kubernetes cluster version 1.6 or later.
The process to create RBAC with GKE cluster
For this, we will use two user accounts as Username 1 and Username 2.
Create namespaces for users to control access to cluster resources:
- Create a GKE cluster:
gcloud container clusters create $my_cluster \ --num-nodes 3 --enable-ip-alias --zone $my_zone
- Create a Namespace:
Create a manifest file called my-namespace.yaml to create a new namespace called production.
apiVersion: v1 kind: Namespace Metadata: name: production
You can list the current namespaces in the cluster using the following command:
kubectl get namespaces
You can view the details of an existing namespace by executing the following command:
kubectl describe namespaces production
- Create a Resource in a Namespace:
If you do not specify the namespace of a Pod it will use the namespace ‘default’. Create a simple manifest file called my-pod.yaml that creates a Pod that contains an nginx container.
apiVersion: v1 kind: Pod metadata: name: nginx labels: name: nginx spec: containers: name: nginx image: nginx ports: - containerPort: 80
Now, execute the following command to create the resource in the namespace called production
kubectl apply -f ./my-pod.yaml --namespace=production
Run the following command to view your Pod
kubectl get pods --namespace=production
Create roles and RoleBindings to control the access within a namespace
In this task, you will create a sample custom role, and then create a RoleBinding that grants Username 2 the editor role in the production namespace.
We will create a file named pod-reader-role.yaml to define the role. This manifest defines a role called pod-reader that provides create, get, list and watch permission for Pod objects in the production namespace.
kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: production name: pod-reader rules: apiGroups: [""] resources: ["pods"] verbs: ["create", "get", "list", "watch"]
- Create a custom Role
Before you can create a Role, your account must have the permissions granted in the role being assigned. For cluster administrators, this can be easily accomplished by creating the following RoleBinding to grant your own user account the cluster-admin role. To grant the Username 1 account cluster-admin privileges, run the following command-
kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user [USERNAME_1_EMAIL]
Execute the following command to create the role:
kubectl apply -f pod-reader-role.yaml
To list the roles to verify it was created, execute the following command:
kubectl get roles --namespace production
- Create a RoleBinding
The username2-editor-binding.yaml manifest file creates a RoleBinding called username2-editor for the second user to the pod-reader role. That role can create and view Pods but cannot delete them.
kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: username2-editor namespace: production subjects: kind: User name: [USERNAME_2_EMAIL] apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
RBAC is an efficient and most popular way to implement authorization in Kubernetes. ABAC (Attribute-based access control), Node Authorization model and the Webhook mode are other methods of authorization in Kubernetes.