#Lab: Kubernetes RBAC
Implement Role-Based Access Control for cluster security.
#๐ฏ Objectives
- Create Roles and ClusterRoles
- Bind roles to users and service accounts
- Test access permissions
#๐ Prerequisites
- Kubernetes cluster
- kubectl configured
#โฑ๏ธ Duration: 30 minutes
#Task 1: Understand RBAC Components (5 min)
diagram
RBAC Components: โโโ Role (namespace-scoped permissions) โโโ ClusterRole (cluster-wide permissions) โโโ RoleBinding (binds Role to subjects) โโโ ClusterRoleBinding (binds ClusterRole to subjects) Subjects: โโโ User โโโ Group โโโ ServiceAccount
#Task 2: Create Namespace and Service Account (5 min)
bash
1# Create dev namespace
2kubectl create namespace dev
3
4# Create service account
5kubectl create serviceaccount developer -n dev
6
7# Verify
8kubectl get serviceaccounts -n dev#Task 3: Create Role (10 min)
bash
1# Create Role that allows read access to pods
2cat << 'EOF' | kubectl apply -f -
3apiVersion: rbac.authorization.k8s.io/v1
4kind: Role
5metadata:
6 name: pod-reader
7 namespace: dev
8rules:
9- apiGroups: [""]
10 resources: ["pods", "pods/log"]
11 verbs: ["get", "list", "watch"]
12- apiGroups: [""]
13 resources: ["services"]
14 verbs: ["get", "list"]
15EOF
16
17# Create Role with full access to deployments
18cat << 'EOF' | kubectl apply -f -
19apiVersion: rbac.authorization.k8s.io/v1
20kind: Role
21metadata:
22 name: deployment-manager
23 namespace: dev
24rules:
25- apiGroups: ["apps"]
26 resources: ["deployments"]
27 verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
28- apiGroups: [""]
29 resources: ["pods"]
30 verbs: ["get", "list", "watch"]
31EOF
32
33# View created roles
34kubectl get roles -n dev#Task 4: Create RoleBinding (5 min)
bash
1# Bind pod-reader role to service account
2cat << 'EOF' | kubectl apply -f -
3apiVersion: rbac.authorization.k8s.io/v1
4kind: RoleBinding
5metadata:
6 name: read-pods
7 namespace: dev
8subjects:
9- kind: ServiceAccount
10 name: developer
11 namespace: dev
12roleRef:
13 kind: Role
14 name: pod-reader
15 apiGroup: rbac.authorization.k8s.io
16EOF
17
18# Verify binding
19kubectl get rolebindings -n dev
20kubectl describe rolebinding read-pods -n dev#Task 5: Test Permissions (5 min)
bash
1# Create test pod in dev namespace
2kubectl run test-pod --image=nginx -n dev
3
4# Test as service account - should work
5kubectl auth can-i get pods -n dev --as=system:serviceaccount:dev:developer
6kubectl auth can-i list pods -n dev --as=system:serviceaccount:dev:developer
7
8# These should fail (not permitted)
9kubectl auth can-i create pods -n dev --as=system:serviceaccount:dev:developer
10kubectl auth can-i delete pods -n dev --as=system:serviceaccount:dev:developer
11
12# Cannot access other namespaces
13kubectl auth can-i get pods -n default --as=system:serviceaccount:dev:developer#โ Success Criteria
- Role created with read permissions
- RoleBinding attached to service account
-
can-ishows correct permissions - Denied actions properly blocked
#๐งน Cleanup
bash
kubectl delete namespace dev