BEST PRACTICES AND GUIDELINE## INTRODUCTIONThe Document explains how we can restrict a Linux user to a specific **Kubernetes **namespace with Role-based access control (RBAC). Kubernetes RBAC is powered by key resources such as Role and Role Binding to limit a user or a group to a specific namespace.
A Role always sets permissions within a particular namespace, when creating a Role we have to specify the namespace it belongs in.
A Role Binding binds users to a role thereby granting the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups or service accounts), and a reference to the role being granted. A RoleBinding grants permissions within a specific namespace.
HOW TO SET UP?Below are the steps to implement RBAC policies in a cluster for an authenticated user to access only a specific namespace.
USER LOGIN
- Logging Into the Server**
SSH into your server as the root user:
**
.fusion-syntax-highlighter-40 > .CodeMirror, .fusion-syntax-highlighter-40 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-40 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-40 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ ssh root@72.68.50.141
- **User Creation
**Use the useradd command to add a new user to your system:
.fusion-syntax-highlighter-41 > .CodeMirror, .fusion-syntax-highlighter-41 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-41 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-41 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ useradd -s /bin/bash -m john### NAMESPACE CREATION
Namespace creation (if you haven’t done so already):
.fusion-syntax-highlighter-42 > .CodeMirror, .fusion-syntax-highlighter-42 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-42 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-42 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl create namespace test_namespace### CERTIFICATE MANAGEMENT
Create TLS Certificates for the User
The following commands will show you how to create a private key and CSR. It is very important to set the CN attribute of CSR.
.fusion-syntax-highlighter-43 > .CodeMirror, .fusion-syntax-highlighter-43 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-43 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-43 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ openssl genrsa -out john.key 2048 $ openssl req -new -key john.key -out john.csr -subj "/CN=john"Note: Can’t load ./.rnd into RNG 10504:error:2406F079:random number generator:RAND_load_file:Cannotopen file:crypto\rand\randfile.c:98:Filename=./.rnd
Try removing or commenting RANDFILE = $ENV::HOME/.rnd line in /etc/ssl/openssl.cnf
Create a certificate signing request (CSR) for the user with the below$ vi john-csr.yaml
.fusion-syntax-highlighter-44 > .CodeMirror, .fusion-syntax-highlighter-44 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-44 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-44 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax HighlighterapiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: name: john-csr spec: groups:
- system:authenticated request: $(cat john.csr | base64 | tr -d "\n") signerName: kubernetes.io/kube-apiserver-client usages:
- digital signature
- key encipherment
- client authNote: please paste the output
$ (cat john.csr | base64 | tr -d “\n”)
$ Kubectl apply -f john-csr.yaml
- **Create a certificate signing request (CSR) for the user with the below **
.fusion-syntax-highlighter-45 > .CodeMirror, .fusion-syntax-highlighter-45 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-45 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-45 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl certificate approve john-csr
Create a Kubernetes configuration file for the new user:
$ vi john.conf
.fusion-syntax-highlighter-46 > .CodeMirror, .fusion-syntax-highlighter-46 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-46 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-46 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax HighlighterapiVersion: v1 kind: Config clusters:
name: test_cluster cluster: certificate-authority-data: $(kubectl config view --raw --flatten -o json | jq -r '.clusters[0].cluster."certificate-authority-data"') server: $(kubectl config view --raw --flatten -o json | jq -r '.clusters[0].cluster.server') contexts:
name: john-context context: cluster: test_cluster namespace: test_namespace user: john current-context: john-context users:
name: john user: client-certificate-data: $(kubectl get csr john-csr -o jsonpath='{.status.certificate}') client-key-data: $(cat john.key | base64 | tr -d '\n')Note: please replace “$ ()” with its actual values and cluster_name can be found by running the command ‘kubectl config get-contexts’
Create directory .kube/ in the user directory
.fusion-syntax-highlighter-47 > .CodeMirror, .fusion-syntax-highlighter-47 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-47 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-47 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ su - john $ mkdir ~/.kube/
- **Copy the above
.conf to .kube/config **
.fusion-syntax-highlighter-48 > .CodeMirror, .fusion-syntax-highlighter-48 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-48 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-48 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ cp -p john.conf ~/.kube/config Note:
Set permission for config file
.fusion-syntax-highlighter-49 > .CodeMirror, .fusion-syntax-highlighter-49 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-49 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-49 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ su - john $ chmod 600 ~/.kube/config
- **Create Role manifest for setting permission for the user
**$ vi john-role.yaml
.fusion-syntax-highlighter-50 > .CodeMirror, .fusion-syntax-highlighter-50 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-50 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-50 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighterkind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: test_namespace name: full-access-role rules:
apiGroups: [""] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]$kubectl apply -f john-role.yaml
**Create Role-binding manifest for binding permission to the user
$vi john-RoleBinding.yaml
**
.fusion-syntax-highlighter-51 > .CodeMirror, .fusion-syntax-highlighter-51 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-51 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-51 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighterkind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: full-access-binding namespace: test_namespace subjects:
- kind: User name: john apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: full-access-role apiGroup: rbac.authorization.k8s.io$kubectl apply -f john-RoleBinding.yaml