What Do You Need to Know About RBAC Authorization in Kubernetes?

tudip-logo

Tudip

24 May 2019

 

RBAC is one of the Authorization Modules in Kubernetes. Role-based access control is a method to provide access to the API resources running on your cluster based on the roles of individual users within an enterprise.

If you want to provide restricted access to a team member to work only in particular namespace in Kubernetes cluster, then we need to create authentication and role-based access control (RBAC) for the user.

For example, if you want an individual user can perform a specific task, such as view, create, or modify a file, RBAC authentication is used.

RBAC permissions can apply to the entire cluster, or to the specific namespaces within the cluster. You can read more about namespaces from here.

 User  Role  Permission

To define the RBAC permissions you need to create an object from the rbac.authorization.k8s.io API group in your cluster.

RBAC is enabled by default if you are running a Kubernetes cluster version 1.6 or later.

The process to create RBAC with GKE cluster

For this, we will use two user accounts as Username 1 and Username 2.

Create namespaces for users to control access to cluster resources:

  • Create a GKE cluster:
    gcloud container clusters create $my_cluster \ --num-nodes 3 --enable-ip-alias --zone $my_zone
  • Create a Namespace:
    Create a manifest file called my-namespace.yaml to create a new namespace called production.

    apiVersion: v1 
    kind: Namespace 
    Metadata: 
             name: production

    You can list the current namespaces in the cluster using the following command:

    kubectl get namespaces

    You can view the details of an existing namespace by executing the following command:

    kubectl describe namespaces production
  • Create a Resource in a Namespace:
    If you do not specify the namespace of a Pod it will use the namespace ‘default’. Create a simple manifest file called my-pod.yaml that creates a Pod that contains an nginx container.

    apiVersion: v1 
    kind: Pod 
    metadata: 
            name: nginx 
    labels: name: nginx
     spec: 
         containers: 
                    name: nginx 
                    image: nginx  
                    ports: - containerPort: 80

    Now, execute the following command to create the resource in the namespace called production

    kubectl apply -f ./my-pod.yaml --namespace=production

    Run the following command to view your Pod

    kubectl get pods --namespace=production

Create roles and RoleBindings to control the access within a namespace

In this task, you will create a sample custom role, and then create a RoleBinding that grants Username 2 the editor role in the production namespace.

We will create a file named pod-reader-role.yaml to define the role. This manifest defines a role called pod-reader that provides create, get, list and watch permission for Pod objects in the production namespace.

kind: Role 
apiVersion: rbac.authorization.k8s.io/v1 
metadata: 
         namespace: production 
         name: pod-reader 
rules: 
     apiGroups: [""] 
     resources: ["pods"] 
     verbs: ["create", "get", "list", "watch"]
  • Create a custom Role
    Before you can create a Role, your account must have the permissions granted in the role being assigned. For cluster administrators, this can be easily accomplished by creating the following RoleBinding to grant your own user account the cluster-admin role. To grant the Username 1 account cluster-admin privileges, run the following command-

    kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user [USERNAME_1_EMAIL]

    Execute the following command to create the role:

    kubectl apply -f pod-reader-role.yaml

    To list the roles to verify it was created, execute the following command:

    kubectl get roles --namespace production
  • Create a RoleBinding
  • The username2-editor-binding.yaml manifest file creates a RoleBinding called username2-editor for the second user to the pod-reader role. That role can create and view Pods but cannot delete them.

    kind: RoleBinding 
    apiVersion: rbac.authorization.k8s.io/v1 
    metadata: 
                   name: username2-editor 
                   namespace: production 
    subjects:
                kind: User 
                name: [USERNAME_2_EMAIL] 
                apiGroup: rbac.authorization.k8s.io 
    roleRef: 
                kind: Role 
                name: pod-reader 
                apiGroup: rbac.authorization.k8s.io

RBAC is an efficient and most popular way to implement authorization in Kubernetes. ABAC (Attribute-based access control), Node Authorization model and the Webhook mode are other methods of authorization in Kubernetes.

Request a quote