Skip to content

k8s Role Based Access Controls

Role based access Controls

RBAC is defined based on the actions that a user can perform on the cluster based upon the role. A Role can be defined as some collection of actions that a user needs to perfom on the cluster which might correspond to a physical role in the organization. A developer can be a role which might need to perform

  • create/delete/update/list/get - pods
  • create/delete/update/list/get - replicasets
  • create/delete/update/list/get - deployments
  • create/delete/update/list/get - configmaps
  • create/delete/update/list/get - secrets

However a developer role might not need to add/delete/manage nodes on the kubernetes cluster. This role might be given to the cluster administrator. Roles are restricted to namespaces If we want to create some role definition which applies to the entire cluster, we must resort to clusterrole and clusterrolebindings.

Role and Role Bindings

A role is a compilation of what actions can be performed on the cluster which might map to something on the physical world. It can be generated from the command line with the command.

kubectl create role developer --verb=create,delete,update,get,list,watch --resource=pods --dry-run=client -o yaml > developer-role.yaml

which yields the following output

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - create
  - update
  - delete

Rolebinding is the glue that binds a user or a group to this role. In this command we have glued the role developer with the user roshankhatri Rolebinding can also be generated using the following command

kubectl create rolebinding developer-role-binding --role developer --user=roshankhatri --dry-run=client -o yaml > developer-role-binding.yaml

which produces the corresponding yaml for the rolebinding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: developer-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: developer
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: roshankhatri

Similarly to glue a group to the role we can use the following command.

kubectl create rolebinding developer-role-binding --role developer --group dev-users --dry-run=client -o yaml > developer-role-binding.yaml

which produces the corresponding yaml for the rolebinding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: developer-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: developer
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: dev-users

Testing Role bindigs

To test role binding we can use

kubectl auth can-i create pods

Also to impersonate a user or a group for a particular role

kubectl auth can-i create pods --as roshankhatri

Also testing on another namespace following command can be used

kubectl auth can-i create pods --as roshankhatri --namespace default