BEST PRACTICES AND GUIDELINE
INTRODUCTION
The Document explains how we can restrict a Linux user to a specific Kubernetes namespace with Role-based access control (RBAC). Kubernetes RBAC is powered by key resources such as Role and Role Binding to limit a user or a group to a specific namespace.
A Role always sets permissions within a particular namespace, when creating a Role we have to specify the namespace it belongs in.
A Role Binding binds users to a role thereby granting the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups or service accounts), and a reference to the role being granted. A RoleBinding grants permissions within a specific namespace.
HOW TO SET UP?
Below are the steps to implement RBAC policies in a cluster for an authenticated user to access only a specific namespace.
USER LOGIN
- Logging Into the Server
SSH into your server as the root user:
- User Creation
Use the useradd command to add a new user to your system:
NAMESPACE CREATION
-
Namespace creation (if you haven’t done so already):
CERTIFICATE MANAGEMENT
-
Create TLS Certificates for the User
The following commands will show you how to create a private key and CSR. It is very important to set the CN attribute of CSR.
Note: Can’t load ./.rnd into RNG 10504:error:2406F079:random number generator:RAND_load_file:Cannotopen file:crypto\rand\randfile.c:98:Filename=./.rnd
Try removing or commenting RANDFILE = $ENV::HOME/.rnd line in /etc/ssl/openssl.cnf
-
Create a certificate signing request (CSR) for the user with the below$ vi john-csr.yaml
Note: please paste the output
$ (cat john.csr | base64 | tr -d “\n”)
$ Kubectl apply -f john-csr.yaml
- Create a certificate signing request (CSR) for the user with the below
-
Create a Kubernetes configuration file for the new user:
$ vi john.conf
Note: please replace “$ ()” with its actual values and cluster_name can be found by running the command ‘kubectl config get-contexts’
-
Create directory .kube/ in the user directory
- Copy the above <user_name>.conf to .kube/config
Note: <DIR> the directory of conf file that is created for the <user_name>
-
Set permission for config file
- Create Role manifest for setting permission for the user
$ vi john-role.yaml
$kubectl apply -f john-role.yaml
- Create Role-binding manifest for binding permission to the user
$vi john-RoleBinding.yaml
$kubectl apply -f john-RoleBinding.yaml
CONCLUSION
We can restrict a user or a group to a specific namespace with a set of permissions in a cluster with Kubernetes RBAC. This increases security in Kubernetes infrastructure.