DEV Community

Mike Levan
Mike Levan

Posted on

Kubernetes Roles and Users (RBAC For k8s)

As with any type of log-in mechanism, there’s always some kind of user and role. The user could be a standard person or even a service account. A role could be anything from readonly to full administrator.

When it comes to Kubernetes, it’s not any different. Users, roles, and permissions are insanely important when it comes to figuring out who or what service account has access to what resources. It’s the make or break between having the ability to deploy an application and only being able to view the deployed application.

In this blog post, you’ll learn about Kubernetes roles and users. You’ll start with what RBAC is, followed by creating a new user to access Kubernetes resources, and finishing up wish creating a few role-specific Kubernetes specs.

RBAC

When you’re assigning permissions to specific users or service accounts, you’re typically assigning some sort of role. The roles typically look something like:

  • readonly
  • readwrite
  • write
  • admin
  • owner

Of course there are a ton of different roles, but those are the typical. RBAC (Role-Based Access Control) by definition is a way to define access to systems and applications based on roles assigned to users.

With RBAC you can pick and choose who and what resources have authorization to specific resources. Those resources can be anything from a Kubernetes cluster to deploying Kubernetes Deployment specs to a service account having access to specific Kubernetes-deployed applications.

Creating a User for Kubernetes

With a lot of cloud Kubernetes services today, you don’t have to worry too much about creating users for Kubernetes in the standard way (like you’ll see below). For example, if you have an Azure Kubernetes Service (AKS) cluster, the users can be managed via:

  • RBAC from the Azure portal
  • AKS-managed Azure Active Directory (AS)

For standard Kubernetes cluster deployments or even something like Minikube, you would create and manage the users to connect to those clusters.

Let’s learn what that would look like in a Linux environment.

First, create a new user via the terminal. You can call the user minikube

useradd minkube && cd /home/minkube
Enter fullscreen mode Exit fullscreen mode

Next, create a new SSL key for the minikube user.

openssl req -new -key minikube.key \
  -out minikube.csr \
  -subj "/CN=minikube"
Enter fullscreen mode Exit fullscreen mode

Once the SSL key is created, generate some certificates based on x509.

openssl x509 -req -in minikube.csr \
  -CA /etc/kubernetes/pki/ca.crt \
  -CAkey /etc/kubernetes/pki/ca.key \
  -CAcreateserial \
  -out minikube.crt -days 500
Enter fullscreen mode Exit fullscreen mode

After that, create a new hidden directory .certs and move the certs into the hidden directory.

mkdir .certs && mv minikube.crt minikube.key .certs
Enter fullscreen mode Exit fullscreen mode

Once the minikube user and the appropriate certs are created, you can use the kubectl command to set credentials for the minikube user based on the certificates that you generated in the previous steps.

kubectl config set-credentials minikube \
  --client-certificate=/home/minikube/.certs/minikube.crt \
  --client-key=/home/minikube/.certs/minikube.key
Enter fullscreen mode Exit fullscreen mode

You can then use kubectl to set your current Kubernetes context with whatever Kubernetes cluster you’re using.

kubectl config set-context minikube-context \
  --cluster=kubernetes --user=minikube
Enter fullscreen mode Exit fullscreen mode

Setting the context is setting a Kubernetes cluster in your Kubeconfig, which you’ll learn about in the next section. You’ll also learn more about the Kubernetes configuration, typically called kubeconfig.

Kubeconfig (Authentication)

Typically under a users home directory will live a hidden directory called .kube. Within the .kube directory is where you’ll find a file called config. That’s the Kubernetes configuration or Kubeconfig as the cool kids like to call it for short. Your Kubeconfig is how your system tells a Kubernetes cluster Hey! I have access to you and a few of your resources. Let me in!

From the command line, change directories into the .kube configuration.

cd ~/.kube
Enter fullscreen mode Exit fullscreen mode

Next, read the config with the cat command.

cat config
Enter fullscreen mode Exit fullscreen mode

When you look at the Kubeconfig, you’ll see several different pieces. The main four top-level sections are:

  • Clusters
  • Contexts
  • Users
  • Current Context

The clusters section is for defining one or more Kubernetes clusters, which includes the authentication certificate. The contexts section shows which Kubernetes clusters you have access to per your Kubeconfig. The user's section defines what users have access to in the current and existing contexts. The current context defines what Kubernetes cluster you’re currently connected to from an authorization/usability perspective. For example, if you run kubectl get pods from the command line, the return will be the Pods in the Kubernetes cluster that’s set as your current context.

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /Users/michael/.minikube/ca.crt
    extensions:
    - extension:
        last-update: Tue, 12 Apr 2022 15:23:37 EDT
        provider: minikube.sigs.k8s.io
        version: v1.25.1
      name: cluster_info
    server: https://127.0.0.1:57578
  name: minikube
contexts:
- context:
    cluster: minikube
    extensions:
    - extension:
        last-update: Tue, 12 Apr 2022 15:23:37 EDT
        provider: minikube.sigs.k8s.io
        version: v1.25.1
      name: context_info
    namespace: default
    user: minikube
  name: minikube
current-context: minikube
kind: Config
preferences: {}
users:
- name: minikube
  user:
    client-certificate: /Users/michael/.minikube/profiles/minikube/client.crt
    client-key: /Users/michael/.minikube/profiles/minikube/client.key
Enter fullscreen mode Exit fullscreen mode

Notice how there’s the minikube user? That user is set and has access to the current cluster, but what roles and permissions does that user actually have? Let’s dive into that in the next section.

user: minikube
Enter fullscreen mode Exit fullscreen mode

Roles (Authorization)

In the previous section, you learned about what a Kubeconfig is, and a Kubeconfig is your authentication method. It’s what allows you to connect to a Kubernetes cluster. In this section, you’ll learn about Roles, which is authorization. Authorization tells Kubernetes Hey, this user is in the cluster. Here’s what they can actually do while in the cluster.

First, let’s define a Role spec. The Role spec creates a new role so any user that’s connecting to the role can access specific resources.

The Role spec below identifies that in the default namespace, called pod-reader, users have access to Pods. It’s essentially a read role because the permissions are get, watch, and list.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
Enter fullscreen mode Exit fullscreen mode

Next, there’s the RoleBinding Spec. This spec tells Kubernetes which Role spec to look for, the user associated with it, and which namespace to associate the RoleBinding with.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: minikube
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
Enter fullscreen mode Exit fullscreen mode

Congrats! Just like that, you have a fully-available RBAC policy for a user that can read Pods.

Wrapping Up

There are a bunch of great safeguards in place out of the box when it comes to Kubernetes user security. In fact, Kubernetes doesn’t even have its own user database, so it essentially allows you to figure out what you want to use. For an on-prem k8s cluster, you might use a scenario as we did in the Creating a User for Kubernetes section. If you’re using a cloud Kubernetes service like Azure Kubernetes Service (AKS), you might utilize something like Azure Active Directory.

In any case, you can control what users have access to what Kubeconfigs and ultimately what those users can do on the Kubernetes cluster with RBAC.

Discussion (0)