In
the last article, we have seen how we can create a user and
authenticate him. We also saw a Forbidden error while accessing the pods
in a namespace. In this article we will see how to perform
authorization to the same demo user.
As we already discussed authorization in kubernetes is a combination of multiple plugins chained. Authorization will pass through the plugins until once succeeds else fails. Authorization in kubernetes is done either by
ABAC - Attribute based access control
RBAC – Role Based access control
Node Authroization
WebHooks
In this article we will see how to configure a RBAC and allow our demouser to list the pods without the forbidden error.
RBAC ( Role Based Access Control ) - In this mode of authorization,
we will create roles which will define permissions that roles ( users
associated to roles ) can access or edit. Once the roles are defined,
admin associates roles to users by RoleBindig. A Role will be created for a user to access namespace and a ClusterRole will be created for a user to access the cluster.
Similarly a RoleBinding will be created for a user to namespace and ClusterRoleBinding to a user for a cluster.
Since we have the demouser
already created, lets create a role. The role manifest file will
contain the namespace as well as operations that can be performed on the
workloads inside that namespace
[root@ip-172-31-12-239 ~]# cat basic-role.yml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: project1
name: demouser-role
rules:
- apiGroups: ["", "extensions", "apps"]
resources:
- "deployments"
- "replicasets"
- "pods"
verbs: ["*"]
In the above Manifest file, I have create a role named “demouser-role” which can perform get,watch,list,create,update,delete and patch operations on the workloads deployments, replicatesets and pods.
Create the role as,
[root@ip-172-31-12-239 ~]# kubectl create -f basic-role.yml
role.rbac.authorization.k8s.io/demouser-role created
In
the above manifest file, the resources talk about the resources or
workloads in the namespace and verbs list an array of actions that this
role could perform on the workloads defined in the resources for the
namespace defined.
RoleBinding – Once the role is created, lets create the binding with this role to the demouser. Lets create a role binding manifest file using,
[root@ip-172-31-12-239 ~]# cat demouser-role-binding.yml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: demouser-role-binding
namespace: project1
subjects:
- kind: User
name: demouser
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: demouser-role
apiGroup: rbac.authorization.k8s.io
Lets create the role binding using,
[root@ip-172-31-12-239 ~]# kubectl create -f demouser-role-binding.yml
rolebinding.rbac.authorization.k8s.io/demouser-role-binding created
In the above manifest file, I created a role binding “demouser-role-binding" for the user demouser (kind) and demouser-role ( Role ). Once the role and rolebinding are created, try to list the pods using the below command,
[root@ip-172-31-12-239 ~]# kubectl --context=project1 get pods
No resources found.
In this case we did not see any error which means demouser is successfully authenticated and also authorized. Now lets try to list the namespaces in the context as below,
[root@ip-172-31-12-239 ~]# kubectl --context=project1 get namespaces
Error from server (Forbidden): namespaces is forbidden: User "demouser" cannot list resource "namespaces" in API group "" at the cluster scope
In this case we will see an forbidden error because for the demouser we gave full access to pods, deployments and replicasets but not for namespaces hence the forbidden error.
This is all about the Authroization In Kubernetes
No comments :
Post a Comment