Configure RBAC in Kubernetes Like a Boss

Emre Savcı
Apr 16, 2020 · 4 min read

In this post I will explain how to configure RBAC in kubernetes. We will configure RBAC both with kubectl and yaml definitions.

What is RBAC

In kubernetes there are several authorization mechanism like RBAC, ABAC.

With RBAC we can add constraints to access kubernetes resources. For example we can give permission to listing pods for specific namespace to a ServiceAccount and prevent it to delete any resource. We can do it for a specific namespace or cluster wide as well.

There are 3 important concept in RBAC.

  • Subject : Users, groups or service accounts.
  • Resources : Kubernetes API objects which we will operate on.
  • Verbs : The operations which we want to do with our resources.

Role and ClusterRole contains set of rules to access & modify kubernetes resources. Difference between them is Role works in particular namespace while ClusterRole is cluster wide which is obvious from it’s name.

If you need define permissions inside a namespace use Role, if you need that cluster wide use ClusterRole.

Creating Role via kubectl is simple like I showed you below:

kubectl create role my-custom-role --verb=list --resource=pods --namespace k8boss

We can also specify multiple verbs and resources as well:

kubectl create role my-custom-role --verb=list --verb=get --resource=pods --resource=services --namespace k8boss

If we want to make it via yaml:

kubectl apply -f role.yaml

If we did will not specify namespace in our role.yaml it will considered as default namespace.

ClusterRole is not much differs:

It is almost same with Role definition only without a namespace.

Service accounts are used by processes inside pods to interact with the Kubernetes API. If you write custom application to work with kubernetes you will probably need to create a custom ServiceAccount with some specialized roles assigned to it. For example when you deploy kubernetes dashboard you can give additional roles to kubernetes-dashboard service account or create a custom ServiceAccount with a cluster-admin role bindings.

Creating a ServiceAccount is so simple with kubectl:

kubectl create serviceaccount custom-sa -n k8boss

Or yaml:

After creating ServiceAccount lets show it’s yaml content:

kubectl get sa custom-sa -n k8boss -o yaml :

As you can see there is an additional field “secrets” which we did not specify while creating ServiceAccount. A secret has been created which related to our ServiceAccount by kubernetes.

Lets take a look our secret:

kubectl get secret custom-sa-token-jcq7h -n k8boss -o yaml :

We can see a token key value here. We can use these secret to access kubernetes-dashboard. But we need to decode it because kubernetes stores secret values in base64 encoded format. Simply we can describe secret and take the token value:

kubectl describe secret custom-sa -n k8boss :

Role bindings as indicates from names makes us bind roles to subjects (user or set of users or service accounts). Again the only difference is in usage, we use RoleBinding to bind Roles while ClusterRoleBinding to bind ClusterRoles. But as an addition we can use RoleBinding to bind a ClusterRole to a Role within a namespace.

Before creating role binding we can ask our service account’s capabilities with:

kubectl auth can-i list pods --as=system:serviceaccount:k8boss:custom-sa -n k8boss

You will see “no” as output of that command.

Lets create a role binding with kubectl:

kubectl create rolebinding my-custom-role-binding --role=my-custom-role --serviceaccount=k8boss:custom-sa --namespace k8boss

Equivalent yaml file:

ClusterRoleBinding is not much differs:

kubectl create clusterrolebinding my-custom-clusterrole-binding --clusterrole=my-custom-cluster-role --serviceaccount=k8boss:custom-sa

Now again lets ask our capabilities:

kubectl auth can-i list pods --as=system:serviceaccount:k8boss:custom-sa -n k8boss

Now you can see “yes” as an answer.

Last thing we will mention is Aggregated ClusterRoles. Sometimes we might want to combine several cluster role into one.

To do this we can use aggregationRule field of ClusterRole. We can select roles using label selectors. For example lets assume we have two ClusterRole one for listing pods one for listing services. So we need another ClusterRole to list pods and services. We can now use aggregationRule to combine our two ClusterRoles.

Trendyol Tech

Trendyol Tech Team