CKS Exam Series #8 RBAC
Kubernetes CKS Example Exam Question Series

#####################################
THIS CHALLENGE WON’T BE UPDATED HERE AND MOVED TO:
https://killercoda.com/killer-shell-cks
######################################
Content
- Create Cluster & Security Best Practices
- Pods, Secrets and ServiceAccounts
- Immutable Pods
- Crash that Apiserver & check logs
- ImagePolicyWebhook / AdmissionController
- Users and CertificateSigningRequests
- ServiceAccount Token Mounting
- Role Based Access Control (RBAC)
- Role Based Access Control (RBAC) v2
- Container Hardening
- NetworkPolicies (Default Deny + Allowlist)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
→ Check out the FULL CKS COURSE on Udemy ←
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rules!
- Be fast, avoid creating yaml manually from scratch
- Use only kubernetes.io/docs for help.
- Check our solution after you did yours. You probably have a better one!
Todays Task: RBAC
- Create two Namespaces
ns1
andns2
- Create ServiceAccount (SA)
pipeline
in both Namespaces - These SAs should be allowed to view almost everything in the whole cluster. You can use the default ClusterRole
view
for this - These SAs should be allowed to create and delete Deployments in Namespaces
ns1
andns2
- Verify everything using
kubectl auth can-i
.
.
.
.
.
Solution
alias k=kubectl
1. Create Namespaces
k create ns ns1
k create ns ns2
2. Create ServiceAccounts
k -n ns1 create sa pipeline
k -n ns2 create sa pipeline
3. View whole cluster
k get clusterrole view # there is default onek create clusterrolebinding -h # examplesk create clusterrolebinding pipeline-view --clusterrole view --serviceaccount ns1:pipeline --serviceaccount ns2:pipeline
4. Manage Deployments in certain Namespaces
k create clusterrole -h # examplesk create clusterrole pipeline-deployment-manager --verb create,delete --resource deployments
k create rolebinding -h # examplesk -n ns1 create rolebinding pipeline-deployment-manager --clusterrole pipeline-deployment-manager --serviceaccount ns1:pipelinek -n ns2 create rolebinding pipeline-deployment-manager --clusterrole pipeline-deployment-manager --serviceaccount ns2:pipeline
Instead we could also create the same Role in both Namespaces.
5. Verify
Explanation here why SAs will be references like this.
# namespace ns1 deployment manager
k auth can-i delete deployments --as system:serviceaccount:ns1:pipeline -n ns1 # YESk auth can-i create deployments --as system:serviceaccount:ns1:pipeline -n ns1 # YESk auth can-i update deployments --as system:serviceaccount:ns1:pipeline -n ns1 # NOk auth can-i update deployments --as system:serviceaccount:ns1:pipeline -n default # NO
# namespace ns2 deployment manager
k auth can-i delete deployments --as system:serviceaccount:ns2:pipeline -n ns2 # YESk auth can-i create deployments --as system:serviceaccount:ns2:pipeline -n ns2 # YESk auth can-i update deployments --as system:serviceaccount:ns2:pipeline -n ns2 # NOk auth can-i update deployments --as system:serviceaccount:ns2:pipeline -n default # NO
# cluster wide view role
k auth can-i list deployments --as system:serviceaccount:ns1:pipeline -n ns1 # YESk auth can-i list deployments --as system:serviceaccount:ns1:pipeline -A # YESk auth can-i list pods --as
system:serviceaccount:ns1:pipeline -A # YESk auth can-i list pods --as
system:serviceaccount:ns2:pipeline -A # YESk auth can-i list secrets --as
system:serviceaccount:ns2:pipeline -A # NO (default view-role doesn't allow)
We see that the default ClusterRole view
actually doesn’t allow to view Secrets by default.
.
.
.
.
.
Least Privilege Principle (PoLP)
Only always assign the least privilege needed to SAs or Users. Be careful with using ClusterRoleBindings because these grant cluster-wide access and to all existing and future Namespaces.
Be fast with RBAC questions
Always use the kubectl
commands to generate your roles and bindings. Don’t copy existing YAML from examples and try to make it work. The help pages show great examples.
You have a different solution?
Let us know by leaving a comment below!
— — — The END — — —
So much for this session. See you at the next one and happy learning!
Ready to join Killer Shell?
FULL CKS COURSE

…or the CKS SIMULATOR
