ITNEXT

ITNEXT is a platform for IT developers & software engineers to share knowledge, connect…

Follow publication

CKS Exam Series #8 RBAC

Kim Wuestkamp
ITNEXT
Published in
3 min readFeb 8, 2021

--

CKS Exam Series | CKA Exam Series | CKAD Exam Series

#####################################

THIS CHALLENGE WON’T BE UPDATED HERE AND MOVED TO:

https://killercoda.com/killer-shell-cks

######################################

Content

  1. Create Cluster & Security Best Practices
  2. Pods, Secrets and ServiceAccounts
  3. Immutable Pods
  4. Crash that Apiserver & check logs
  5. ImagePolicyWebhook / AdmissionController
  6. Users and CertificateSigningRequests
  7. ServiceAccount Token Mounting
  8. Role Based Access Control (RBAC)
  9. Role Based Access Control (RBAC) v2
  10. Container Hardening
  11. NetworkPolicies (Default Deny + Allowlist)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

→ Check out the FULL CKS COURSE on Udemy ←

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rules!

  1. Be fast, avoid creating yaml manually from scratch
  2. Use only kubernetes.io/docs for help.
  3. Check our solution after you did yours. You probably have a better one!

Todays Task: RBAC

  1. Create two Namespaces ns1 and ns2
  2. Create ServiceAccount (SA) pipeline in both Namespaces
  3. These SAs should be allowed to view almost everything in the whole cluster. You can use the default ClusterRole view for this
  4. These SAs should be allowed to create and delete Deployments in Namespaces ns1 and ns2
  5. Verify everything using kubectl auth can-i

.

.

.

.

.

Solution

alias k=kubectl

1. Create Namespaces

k create ns ns1
k create ns ns2

2. Create ServiceAccounts

k -n ns1 create sa pipeline
k -n ns2 create sa pipeline

3. View whole cluster

k get clusterrole view # there is default onek create clusterrolebinding -h # examplesk create clusterrolebinding pipeline-view --clusterrole view --serviceaccount ns1:pipeline --serviceaccount ns2:pipeline

4. Manage Deployments in certain Namespaces

k create clusterrole -h # examplesk create clusterrole pipeline-deployment-manager --verb create,delete --resource deployments
k create rolebinding -h # examples
k -n ns1 create rolebinding pipeline-deployment-manager --clusterrole pipeline-deployment-manager --serviceaccount ns1:pipelinek -n ns2 create rolebinding pipeline-deployment-manager --clusterrole pipeline-deployment-manager --serviceaccount ns2:pipeline

Instead we could also create the same Role in both Namespaces.

5. Verify

Explanation here why SAs will be references like this.

# namespace ns1 deployment manager
k auth can-i delete deployments --as system:serviceaccount:ns1:pipeline -n ns1 # YES
k auth can-i create deployments --as system:serviceaccount:ns1:pipeline -n ns1 # YESk auth can-i update deployments --as system:serviceaccount:ns1:pipeline -n ns1 # NOk auth can-i update deployments --as system:serviceaccount:ns1:pipeline -n default # NO
# namespace ns2 deployment manager
k auth can-i delete deployments --as system:serviceaccount:ns2:pipeline -n ns2 # YES
k auth can-i create deployments --as system:serviceaccount:ns2:pipeline -n ns2 # YESk auth can-i update deployments --as system:serviceaccount:ns2:pipeline -n ns2 # NOk auth can-i update deployments --as system:serviceaccount:ns2:pipeline -n default # NO
# cluster wide view role
k auth can-i list deployments --as system:serviceaccount:ns1:pipeline -n ns1 # YES
k auth can-i list deployments --as system:serviceaccount:ns1:pipeline -A # YESk auth can-i list pods --as
system:serviceaccount:ns1:pipeline -A # YES
k auth can-i list pods --as
system:serviceaccount:ns2:pipeline -A # YES
k auth can-i list secrets --as
system:serviceaccount:ns2:pipeline -A # NO (default view-role doesn't allow)

We see that the default ClusterRole view actually doesn’t allow to view Secrets by default.

.

.

.

.

.

Least Privilege Principle (PoLP)

Only always assign the least privilege needed to SAs or Users. Be careful with using ClusterRoleBindings because these grant cluster-wide access and to all existing and future Namespaces.

Be fast with RBAC questions

Always use the kubectl commands to generate your roles and bindings. Don’t copy existing YAML from examples and try to make it work. The help pages show great examples.

You have a different solution?

Let us know by leaving a comment below!

— — — The END — — —

So much for this session. See you at the next one and happy learning!

Ready to join Killer Shell?

FULL CKS COURSE

LINK

…or the CKS SIMULATOR

https://killer.sh/cks

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Published in ITNEXT

ITNEXT is a platform for IT developers & software engineers to share knowledge, connect, collaborate, learn and experience next-gen technologies.

Written by Kim Wuestkamp

killercoda.com | killer.sh (CKS CKA CKAD Simulator) | Software Engineer, Infrastructure Architect, Certified Kubernetes

Responses (1)

Write a response