BEST PRACTICES AND GUIDELINE

INTRODUCTION

The Document explains how we can restrict a Linux user to a specific Kubernetes namespace with Role-based access control (RBAC). Kubernetes RBAC is powered by key resources such as Role and Role Binding to limit a user or a group to a specific namespace.

A Role always sets permissions within a particular namespace, when creating a Role we have to specify the namespace it belongs in.

A Role Binding binds users to a  role thereby granting the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups or service accounts), and a reference to the role being granted. A RoleBinding grants permissions within a specific namespace.

HOW TO SET UP?

Below are the steps to implement RBAC policies in a cluster for an authenticated user to access only a specific namespace.

USER LOGIN

  • Logging Into the Server
    SSH into your server as the root user:
Copy to Clipboard
  • User Creation
    Use the useradd command to add a new user to your system:
Copy to Clipboard

NAMESPACE CREATION

  • Namespace creation (if you haven’t done so already):

Copy to Clipboard

CERTIFICATE MANAGEMENT

  • Create TLS Certificates for the User

    The following commands will show you how to create a private key and CSR. It is very important to set the CN attribute of CSR.

Copy to Clipboard

Note: Can’t load ./.rnd into RNG 10504:error:2406F079:random number generator:RAND_load_file:Cannotopen file:crypto\rand\randfile.c:98:Filename=./.rnd

Try removing or commenting RANDFILE = $ENV::HOME/.rnd line in /etc/ssl/openssl.cnf

  • Create a certificate signing request (CSR) for the user with the below$ vi john-csr.yaml

Copy to Clipboard

Note: please paste the output

$ (cat  john.csr | base64 | tr -d “\n”)

$ Kubectl apply -f john-csr.yaml

  • Create a certificate signing request (CSR) for the user with the below
Copy to Clipboard

  • Create a Kubernetes configuration file for the new user:

    $ vi john.conf

Copy to Clipboard

Note: please replace “$ ()” with its actual values and cluster_name can be found by running the command ‘kubectl config get-contexts’

  • Create directory .kube/   in the user directory

Copy to Clipboard
  • Copy the above <user_name>.conf to .kube/config
Copy to Clipboard

Note: <DIR> the directory of conf file that is  created for the <user_name>

  •  Set permission for config file 

Copy to Clipboard
  • Create Role manifest for setting permission for the user
    $ vi john-role.yaml
Copy to Clipboard

$kubectl apply -f john-role.yaml

  • Create Role-binding manifest for binding  permission to the user
    $vi john-RoleBinding.yaml
Copy to Clipboard

$kubectl apply -f john-RoleBinding.yaml

CONCLUSION

We can restrict a user or a group to a specific namespace with a set of permissions in a cluster with Kubernetes RBAC. This increases security in Kubernetes infrastructure.

Related articles:

  1. KUBERNETES NAMESPACE ISOLATION AT THE NETWORK LEVEL WITH CALICO
  2. How to Create Amazon EKS using AWS Management Console and AWS CLI
  3. MISTAKES TO AVOID IN DOCKER IMAGES WITH REASON AND SOLUTION
  4. Learn to deploy a Kubernetes cluster in 30 minutes using KubeAdm
  5. CREATING CENTOS VM ON NUTANIX USING ANSIBLE