Kubernetes

Restrict a Linux User to Specific Kubernetes Namespace

  • Logging Into the Server SSH into your server as the root user:
eCloudControl Engineering Team4 min read
Restrict a Linux User to Specific Kubernetes Namespace

BEST PRACTICES AND GUIDELINE

INTRODUCTION

The Document explains how we can restrict a Linux user to a specific **Kubernetes **namespace with Role-based access control (RBAC). Kubernetes RBAC is powered by key resources such as Role and Role Binding to limit a user or a group to a specific namespace.

A Role always sets permissions within a particular namespace, when creating a Role we have to specify the namespace it belongs in.

A Role Binding binds users to a role thereby granting the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups or service accounts), and a reference to the role being granted. A RoleBinding grants permissions within a specific namespace.

HOW TO SET UP?

Below are the steps to implement RBAC policies in a cluster for an authenticated user to access only a specific namespace.

USER LOGIN

  • Logging Into the Server**

SSH into your server as the root user:

**

$ ssh root@72.68.50.141
  • **User Creation

**Use the useradd command to add a new user to your system:

$ useradd -s /bin/bash -m john

NAMESPACE CREATION

-

Namespace creation (if you haven't done so already):

$ kubectl create namespace test_namespace

CERTIFICATE MANAGEMENT

-

Create TLS Certificates for the User

The following commands will show you how to create a private key and CSR. It is very important to set the CN attribute of CSR.

$ openssl genrsa -out john.key 2048
$ openssl req -new -key john.key -out john.csr -subj "/CN=john"

Note: Can't load ./.rnd into RNG 10504:error:2406F079:random number generator:RAND_load_file:Cannotopen file:crypto\rand\randfile.c:98:Filename=./.rnd

Try removing or commenting RANDFILE = $ENV::HOME/.rnd line in /etc/ssl/openssl.cnf

-

Create a certificate signing request (CSR) for the user with the below

$ vi john-csr.yaml

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: john-csr
spec:
  groups:
  - system:authenticated
  request: $(cat john.csr | base64 | tr -d "\n")
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - digital signature
  - key encipherment
  - client auth

Note: please paste the output

$ (cat john.csr | base64 | tr -d "\n")

$ Kubectl apply -f john-csr.yaml

  • **Create a certificate signing request (CSR) for the user with the below **
$ kubectl certificate approve john-csr

-

Create a Kubernetes configuration file for the new user:

$ vi john.conf

apiVersion: v1
kind: Config
clusters:
- name: test_cluster
  cluster:
    certificate-authority-data: $(kubectl config view --raw --flatten -o json | jq -r '.clusters[0].cluster."certificate-authority-data"')
    server: $(kubectl config view --raw --flatten -o json | jq -r '.clusters[0].cluster.server')
contexts:
- name: john-context
  context:
    cluster: test_cluster
    namespace: test_namespace
    user: john
current-context: john-context
users:
- name: john
  user:
    client-certificate-data: $(kubectl get csr john-csr -o jsonpath='{.status.certificate}')
    client-key-data: $(cat john.key | base64 | tr -d '\n')

Note: please replace "$ ()" with its actual values and cluster_name can be found by running the command 'kubectl config get-contexts'

-

Create directory .kube/ in the user directory

$ su - john
$ mkdir ~/.kube/
  • **Copy the above .conf to .kube/config **
$ cp -p john.conf ~/.kube/config

Note:

the directory of conf file that is created for the

-

Set permission for config file

$ su - john
$ chmod 600 ~/.kube/config
  • **Create Role manifest for setting permission for the user

**$ vi john-role.yaml

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: test_namespace
  name: full-access-role
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

$kubectl apply -f john-role.yaml

  • **Create Role-binding manifest for binding permission to the user

$vi john-RoleBinding.yaml

**

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: full-access-binding
  namespace: test_namespace
subjects:
- kind: User
  name: john
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: full-access-role
  apiGroup: rbac.authorization.k8s.io

$kubectl apply -f john-RoleBinding.yaml

CONCLUSION

We can restrict a user or a group to a specific namespace with a set of permissions in a cluster with Kubernetes RBAC. This increases security in Kubernetes infrastructure.