• k8s
• StudyNotes
• RBAC

k8s/StudyNotes/RBAC

• Check Access

  kubectl auth can-i create deployments --as dev-user
  kubectl auth can-i delete nodes -as devuser --namespace=dev

• One of the Authorizers that kube-api uses, other. Node, ABAC, RBAC, WebHook, AllowAll, DenyAll

• e.g.

  apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    name: developer
  rules:
  - apiGroups: [""]  # core-group/v1 , others are named.
    resources: ["pods"]
    verbs: ["list", "get"]
  - apiGroups: [""]  
    resources: ["pods"]
    verbs: ["list", "get", "create", "update", "delete"]
    resourceNames: ["bluepod", "orangepod"]  #<- limit to specific pods
  - apiGroups: [""]  # core-group/v1 , others are named.
    resources: ["ConfigMap"]
    verbs: ["create"]

• RoleBinding binds user to rule

  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata"
    name: devuser-developer-binding
  subjects:
  - kind: User
    name: dev-user
    apiGroup: rbac.authorization.k8s.io
  roleRef:
    kind: Role
    name: developer
    apiGroup: rbac.authorization.k8s.io

• View with

  kubectl get roles
  kubectl get rolebindings
  kubectl describe role developer