Kubernetes RBAC: A Practical Guide

[article]
Summary:

Kubernetes RBAC is a powerful feature that allows you to fine-tune access to resources in your cluster. By creating roles and role bindings, you can specify exactly which users and processes have access to which resources and actions. This can help you to secure your cluster and prevent unauthorized access to critical resources.

What Is Kubernetes RBAC?

When an organization starts using Kubernetes, it typically has a small cluster with only a few nodes, managed by a small number of team members. At this scale, it is common to grant admin privileges to everyone in the team cluster to simplify management.

However, as clusters grow, especially as they are used in production, granting administrative access to everyone is not a good idea. Not all users need unlimited rights to create, modify, and delete resources. It is important to limit the resources that team members and applications can access and the actions they can perform.

Kubernetes provides a role based access control (RBAC) feature that makes this possible. It allows an organization to grant granular access to team members or entire teams by giving them access to certain namespaces, or specific resources within a namespace. Some team members can be given view-only access, while others are allowed to add, modify or delete resources.

Examples of Kubernetes resources that RBAC can help manage include:

  • Pods: RBAC can restrict access to specific pods or allow users to manage their lifecycle.
  • Deployments: RBAC can grant access to manage deployments, ensuring that only authorized users can make changes.
  • Services: RBAC can control access to services, allowing specific users to create, update, or delete them.

Benefits of RBAC in Kubernetes

There are several ways to use RBAC in your Kubernetes project.

  • Integration with enterprise access control solutions, such as single sign on (SSO)—the RBAC system manages access to resources through a centralized role directory. This makes it possible for users to authenticate themselves and access Kubernetes resources using their existing corporate credentials.
  • Fine-grained access control—RBAC enables strict control over who has access to what in the cluster, and the level of access to different aspects of a project. This ensures teams don’t interfere with each other’s projects or accidentally modify clusters belonging to other projects.
  • Control costs—Kubernetes clusters, especially when deployed in cloud environments, are a major cost center for organizations. It is important to control access to clusters to ensure that only authorized users can take actions that have a cost implication, such as auto-scaling Kubernetes nodes and clusters.
  • Minimize security risks—RBAC improves security by ensuring team members can access only the specific resources they need, in accordance with the least privilege principle. This helps prevent breaches and minimizes security risks.

Common Use Cases for RBAC in Kubernetes

Here are some practical use cases of Kubernetes RBAC, which can help organizations effectively manage access to resources and maintain a secure environment:

  • Granting specific teams access to required resources: In large organizations, different teams may be responsible for various aspects of a project, such as development, testing, and operations. Using Kubernetes RBAC, you can grant each team access to the resources they require to perform their tasks without providing unnecessary privileges.
  • Onboarding and offboarding team members: Kubernetes RBAC makes it easy to manage access control when team members join or leave projects. By defining roles and role bindings, you can quickly grant or revoke access to resources for new or departing team members.
  • Separating responsibilities in multi-tenant environments: In multi-tenant Kubernetes clusters, different teams or clients may share the same infrastructure. RBAC allows you to define separate namespaces for each tenant and grant access to specific resources within those namespaces.
  • Delegating administrative tasks: In some cases, you may want to delegate certain administrative tasks to specific users without giving them full administrative privileges. Kubernetes RBAC allows you to create custom roles with a limited set of permissions, enabling you to delegate specific tasks, such as namespace creation or resource quota management, to trusted team members.

Implementing RBAC In Your Kubernetes Cluster

This tutorial covers how to implement Role-Based Access Control (RBAC) in a Kubernetes cluster. The main steps are:

  1. Enabling RBAC: Activating the RBAC feature in your Kubernetes cluster.
  2. Creating a Test User: Creating a service account called "demo" to assign RBAC roles.
  3. Creating a Role: Defining a role called "Developer" with specific permissions.
  4. Creating a RoleBinding: Binding the "Developer" role to the "demo" service account for access control. This assigns the permissions defined for the Developer role to the specific user account.

Below is how it works in practice:

1. Enable RBAC in Your Cluster

Enable RBAC in your Kubernetes cluster by running:

$ kube-apiserver --authorization-mode=RBAC

2. Create a Test User

Create a service account called "demo":

sh
kubectl create serviceaccount demo

Extract the token and add your user as a new kubectl context:

sh
TOKEN=$(kubectl describe secret $(kubectl get secret | grep demo-token | awk '{print $1}') | grep '^token:' | awk '{print $2}')
kubectl config set-credentials demo --token="$TOKEN"
kubectl config set-context demo --cluster=kubernetes --user=demo

Switch to the new demo context:

sh
kubectl config use-context demo

3. Create a Role

Switch back to your original context:

sh
kubectl config use-context default

Create a role called "Developer" using a YAML file and apply it. The “create”, “get”, and “list” verbs allow this role to create Kubernetes resources, get information about specific resources, and list all resources in the namespace.

yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
     namespace: default
     name: Developer
rules:
     - apiGroups: [""]
       resources: ["pods"]
       verbs: ["create", "get", "list"]

sh
kubectl apply -f role.yaml

4. Create a RoleBinding

Create a RoleBinding using a YAML file and apply it:

yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
     namespace: default
     name: DeveloperRoleBinding
subjects:
     - kind: ServiceAccount
       name: demo
       apiGroup: ""
roleRef:
     kind: Role
     name: Developer
     apiGroup: ""

sh
kubectl apply -f role-binding.yaml

Conclusion

In conclusion, Kubernetes RBAC is a powerful feature that allows you to fine-tune access to resources in your cluster. By creating roles and role bindings, you can specify exactly which users and processes have access to which resources and actions. This can help you to secure your cluster and prevent unauthorized access to critical resources.

User Comments

1 comment
Kiri Cowell's picture

 

Wow, what a wonderful post. This was too much information for me

 

September 21, 2023 - 11:09pm

About the author

CMCrossroads is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.