Skip to content

Latest commit

 

History

History
104 lines (61 loc) · 2.38 KB

README.md

File metadata and controls

104 lines (61 loc) · 2.38 KB
Raw

Role Based Access Control

Step 1:
  • Navigate to RoleBasedAccessControl directory.
cd /root/container_training/Kubernetes/RoleBasedAccessControl
Step 2:
  • Generate an ssl key for restricteduser
sudo openssl genrsa -out restricteduser.key 4096
Step 3:
  • Generate a certificate using they key created in Step 1
sudo openssl req -new -key restricteduser.key -out restricteduser.csr -subj '/CN=restricteduser/O=developer'
Step 4:
  • Generate a self-signed key for k8s with the Cluster CA
sudo openssl x509 -req -in restricteduser.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out restricteduser.crt -days 365
Step 5:
  • Create a restricted namespace
kubectl create namespace restricted-namespace
Step 6:
  • Set credentials and context for the user restricteduser
kubectl config set-credentials restricteduser --client-certificate=restricteduser.crt  --client-key=restricteduser.key

kubectl config set-context restricteduser-context --cluster=kubernetes --namespace=restricted-namespace --user=restricteduser
Step 7:
  • Try fetching the list of pods with restricteduser-context
kubectl --context=restricteduser-context get pods
  • It will show the following Error: Error from server (Forbidden): pods is forbidden: User "restricteduser" cannot list pods in the namespace "restricted-namespace"
Step 8:
  • Create a Role and RoleBinding in restricted-namespace
kubectl -n restricted-namespace create -f role-deployment-manager.yaml

kubectl -n restricted-namespace create -f rolebinding-deployment-manager.yaml
Step 9:
  • Run a pod using restricteduser-context
kubectl --context=restricteduser-context run --image nginx:alpine nginx
Step 10:
  • Using the restricteduser-context, try deleting the pod running
kubectl --context=restricteduser-context get pods 

kubectl --context=restricteduser-context delete pod <pod_name>
  • It will show the following Error: Error from server (Forbidden): pods "nginx-6fc74ccb78-c5ctm" is forbidden: User "restricteduser" cannot delete pods in the namespace "restricted-namespace"
Step 11
  • To Remove the Role, RoleBinding and the Pod, delete the restricted-namespace.
kubectl delete ns restricted-namespace