yiorgos

8-RBAC

Nov 15th, 2021
403
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  • What is a context? Interview question
  • Pattern: A RoleBinding links a user or service account to a role
  • A RoleBinding grants permissions within a specific namespace whereas a ClusterRoleBinding grants that access cluster-wide.
  • kubectl api-resources
  • kubectl api-versions
  • kubectl create ns development
  • kubectl create ns production
  • openssl genrsa -out DevDan.key 2048
  • openssl req -new -key DevDan.key -out DevDan.csr -subj "/CN=DevDan/O=development"
  • sudo openssl x509 -req -in DevDan.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out DevDan.crt -days 45
  • kubectl config set-credentials DevDan --client-certificate=/home/ubuntu/DevDan.crt --client-key=/home/ubuntu/DevDan.key
  • kubectl config set-context DevDan-context --cluster=kubernetes --namespace=development --user=DevDan
  • less ~/.kube/config
  • kubectl --context=DevDan-context get pods
  • kubectl config get-contexts
  • role-dev.yaml # mind the indentation!
    
    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    namespace: development
    name: developer
    rules:
  • apiGroups: ["", "extensions", "apps"]
    resources: ["deployments", "replicasets", "pods"]
    verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
  • rolebind.yaml
    
    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: developer-role-binding
    namespace: development
    subjects:
  • kind: User
    name: DevDan
    apiGroup: ""
    roleRef:
    kind: Role
    name: developer
    apiGroup: ""
  • kubectl config use-context DevDan-context
  • kubectl get pod
  • create and delete a pod

Exercise

  • Make a new context such that Dan can view pods in production but not create them
Add Comment
Please, Sign In to add comment