Kubernetes workshop: Manage permissions in Kubernetes
RBAC is the method used by Kubernetes to authorize access to API resources.
ℹ️ When it makes sense you can use the default roles that are available in all Kubernetes installation instead of having to maintain custom ones.
For this lab what we want to achieve is to give permissions the following permissions to an application myapp:
- read the configmaps in the namespace
foo - List the pods in all the namespaces
It is a good practice to configure your pod to make use of a serviceaccount. A serviceaccount are used to identify applications and give them permissions if necessary.
Create a service account
1kubectl create serviceaccount myapp
2serviceaccount/myapp created
When a service account is created, a token is automatically generated and stored in a secret.
1kubectl describe sa myapp | grep -i token
2Mountable secrets: myapp-token-bz2zq
3Tokens: myapp-token-bz2zq
4
5kubectl get secret myapp-token-bz2zq --template={{.data.token}} | base64 -d
6eyJhb...EYxhjI_ckZ74A
Using a tool to decode the JWT token you should see the following content
1kubectl get secret myapp-token-bz2zq --template={{.data.token}} | base64 -d | jwt decode -
2
3Token header
4------------
5{
6 "alg": "RS256",
7 "kid": "IdsXYO6E93xozgJg-LY2oETTPEHBJjydTU4vF2wy-wg"
8}
9
10Token claims
11------------
12{
13 "iss": "kubernetes/serviceaccount",
14 "kubernetes.io/serviceaccount/namespace": "foo",
15 "kubernetes.io/serviceaccount/secret.name": "myapp-token-bz2zq",
16 "kubernetes.io/serviceaccount/service-account.name": "myapp",
17 "kubernetes.io/serviceaccount/service-account.uid": "eb606bdc-b713-4b7c-8da8-c4f71075995e",
18 "sub": "system:serviceaccount:foo:myapp"
19}
We're going to create a deployment that will be configured to used this serviceaccount. In the yaml you'll notice that we defined the serviceAccountName.
1kubectl apply -f content/resources/kubernetes_workshop/rbac/deployment.yaml
2deployment.apps/myapp created
As we didn't assigned any permissions to this serviceaccount, our application won't be able to call any of the API endpoints
1POD_NAME=$(kubectl get po -l app=myapp -o jsonpath='{.items[0].metadata.name}')
2
3kubectl exec ${POD_NAME} -- kubectl auth can-i -n foo --list
4Resources Non-Resource URLs Resource Names Verbs
5selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
6selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
7 [/.well-known/openid-configuration] [] [get]
8 [/api/*] [] [get]
9 [/api] [] [get]
10 [/apis/*] [] [get]
11 [/apis] [] [get]
12 [/healthz] [] [get]
13 [/healthz] [] [get]
14 [/livez] [] [get]
15 [/livez] [] [get]
16 [/openapi/*] [] [get]
17 [/openapi] [] [get]
18 [/openid/v1/jwks] [] [get]
19 [/readyz] [] [get]
20 [/readyz] [] [get]
21 [/version/] [] [get]
22 [/version/] [] [get]
23 [/version] [] [get]
24 [/version] [] [get]
In order to allow it to read configmaps in the namespace foo, we're going to create 2 resources:
- A role which will describe the permissions and which is bounded to a namespace
- A rolebinding to assign this role to our application (serviceaccount)
Create the role
1kubectl apply -f content/resources/kubernetes_workshop/rbac/role.yaml
2role.rbac.authorization.k8s.io/read-configmaps created
And assign it to the serviceaccount we've created previously
1kubectl create rolebinding -n foo myapp-configmap --serviceaccount=foo:myapp --role=read-configmaps
2rolebinding.rbac.authorization.k8s.io/myapp-configmap created
Note that in the above command the serviceaccount must be specified with the namespace as a prefix and separated by a semicolon.
You don't have to restart the pod to get the permissions enabled.
1kubectl exec ${POD_NAME} -- kubectl auth can-i get configmaps -n foo
2yes
3
4kubectl exec ${POD_NAME} -- kubectl get cm
5NAME DATA AGE
6kube-root-ca.crt 1 3d20h
7helloworld 2 2d2h
This is possible thanks to the token mounted within the container
1kubectl exec -ti ${POD_NAME} -- bash -c 'curl -skH "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default/api/v1/namespaces/foo/configmaps'
2{
3 "kind": "ConfigMapList",
4 "apiVersion": "v1",
5 "metadata": {
6 "resourceVersion": "76334"
7 },
8 "items": [
9 {
10 "metadata": {
11 "name": "kube-root-ca.crt",
12 "namespace": "foo",
13 "uid": "c352e4cd-3b88-4400-80a0-cbba318794e4",
14...
Finally we want to list the pods in all the namespaces of our cluster. we need:
- A clusterrole which will describe the permissions that are cluster wide.
- A clusterrolebinding to assign this clusterrole to our application (serviceaccount)
1$ kubectl apply -f content/resources/kubernetes_workshop/rbac/clusterrole.yaml
2clusterrole.rbac.authorization.k8s.io/list-pods created
1kubectl create clusterrolebinding -n foo myapp-pods --serviceaccount=foo:myapp --clusterrole=list-pods
2clusterrolebinding.rbac.authorization.k8s.io/myapp-pods created
Now lets have a look to the permissions our applications has in the namespace foo
1kubectl exec ${POD_NAME} -- kubectl auth can-i -n foo --list
2Resources Non-Resource URLs Resource Names Verbs
3selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
4selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
5pods [] [] [get list]
6configmaps [] [] [get watch list]
7 [/.well-known/openid-configuration] [] [get]
8 [/api/*] [] [get]
9 [/api] [] [get]
10 [/apis/*] [] [get]
11...