Pages

Friday, November 16, 2018

Kubernetes - Authorization

In the last article, we have seen how we can create a user and authenticate him. We also saw a Forbidden error while accessing the pods in a namespace. In this article we will see how to perform authorization to the same demo user. 

As we already discussed authorization in kubernetes is a combination of multiple plugins chained. Authorization will pass through the plugins until once succeeds else fails. Authorization in kubernetes is done either by 
ABAC - Attribute based access control 
RBAC – Role Based access control 
Node Authroization 
WebHooks 

In this article we will see how to configure a RBAC and allow our demouser to list the pods without the forbidden error. 

RBAC ( Role Based Access Control ) - In this mode of authorization, we will create roles which will define permissions that roles ( users associated to roles ) can access or edit. Once the roles are defined, admin associates roles to users by RoleBindig. A Role will be created for a user to access namespace and a ClusterRole will be created for a user to access the cluster. 
Similarly a RoleBinding will be created for a user to namespace and ClusterRoleBinding to a user for a cluster. 

Since we have the demouser already created, lets create a role. The role manifest file will contain the namespace as well as operations that can be performed on the workloads inside that namespace 

[root@ip-172-31-12-239 ~]# cat basic-role.yml 
kind: Role 
apiVersion: rbac.authorization.k8s.io/v1beta1 
metadata: 
 namespace: project1 
 name: demouser-role 
rules: 
- apiGroups: ["", "extensions", "apps"] 
 resources: 
   - "deployments" 
   - "replicasets" 
   - "pods" 
 verbs: ["*"] 

In the above Manifest file, I have create a role named “demouser-role” which can perform get,watch,list,create,update,delete and patch operations on the workloads deployments, replicatesets and pods. 

Create the role as, 
[root@ip-172-31-12-239 ~]# kubectl create -f basic-role.yml 
role.rbac.authorization.k8s.io/demouser-role created 

In the above manifest file, the resources talk about the resources or workloads in the namespace and verbs list an array of actions that this role could perform on the workloads defined in the resources for the namespace defined. 

RoleBinding – Once the role is created, lets create the binding with this role to the demouser. Lets create a role binding manifest file using, 

[root@ip-172-31-12-239 ~]# cat demouser-role-binding.yml 
kind: RoleBinding 
apiVersion: rbac.authorization.k8s.io/v1beta1 
metadata: 
 name: demouser-role-binding 
 namespace: project1 
subjects: 
- kind: User 
  name: demouser 
  apiGroup: rbac.authorization.k8s.io 
roleRef: 
  kind: Role 
  name: demouser-role 
  apiGroup: rbac.authorization.k8s.io 

Lets create the role binding using, 
[root@ip-172-31-12-239 ~]# kubectl create -f demouser-role-binding.yml 
rolebinding.rbac.authorization.k8s.io/demouser-role-binding created 

In the above manifest file, I created a role binding “demouser-role-binding" for the user demouser (kind) and demouser-role ( Role ). Once the role and rolebinding are created, try to list the pods using the below command, 
[root@ip-172-31-12-239 ~]# kubectl --context=project1 get pods 
No resources found. 

In this case we did not see any error which means demouser is successfully authenticated and also authorized. Now lets try to list the namespaces in the context as below, 
[root@ip-172-31-12-239 ~]# kubectl --context=project1 get namespaces 
Error from server (Forbidden): namespaces is forbidden: User "demouser" cannot list resource "namespaces" in API group "" at the cluster scope 

In this case we will see an forbidden error because for the demouser we gave full access to pods, deployments and replicasets but not for namespaces hence the forbidden error. 

This is all about the Authroization In Kubernetes

No comments :

Post a Comment