ITNEXT

ITNEXT is a platform for IT developers & software engineers to share knowledge, connect…

Follow publication

CKS Exam Series #9 RBAC v2

Kim Wuestkamp
ITNEXT
Published in
4 min readFeb 21, 2021

CKS Exam Series | CKA Exam Series | CKAD Exam Series

#####################################

THIS CHALLENGE WON’T BE UPDATED HERE AND MOVED TO:

https://killercoda.com/killer-shell-cks

######################################

Content

  1. Create Cluster & Security Best Practices
  2. Pods, Secrets and ServiceAccounts
  3. Immutable Pods
  4. Crash that Apiserver & check logs
  5. ImagePolicyWebhook / AdmissionController
  6. Users and CertificateSigningRequests
  7. ServiceAccount Token Mounting
  8. Role Based Access Control (RBAC)
  9. Role Based Access Control (RBAC) v2
  10. Container Hardening
  11. NetworkPolicies (Default Deny + Allowlist)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

→ Check out the FULL CKS COURSE on Udemy ←

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rules!

  1. Be fast, avoid creating yaml manually from scratch
  2. Use only kubernetes.io/docs for help.
  3. Check our solution after you did yours. You probably have a better one!

Todays Task: RBAC

  1. Create Namespace applications
  2. User smoke should be allowed to create and delete Pods, Deployments and StatefulSets in Namespace applications
  3. User smoke should have view permissions (like the permissions of the default ClusterRole named view) in all Namespaces but not in kube-system
  4. User smoke should be allowed to see available Secrets in Namespace applications. Just Secret names, no data.
  5. Verify everything using kubectl auth can-i
  6. Verify everything using an actual user smoke by creating it like done here

.

.

.

.

.

Solution

alias k=kubectl

1. Create Namespace

k create ns applications

2. RBAC applications

k -n applications create role smoke --verb create,delete --resource pods,deployments,stsk -n applications create rolebinding smoke --role smoke --user smoke

3. RBAC view everywhere but not kube-system

As of now it’s not possible to create deny-RBAC in K8s, only allowing things.

k get ns # get all namespacesk -n applications create rolebinding smoke-view --clusterrole view --user smokek -n default create rolebinding smoke-view --clusterrole view --user smokek -n kube-node-lease create rolebinding smoke-view --clusterrole view --user smokek -n kube-public create rolebinding smoke-view --clusterrole view --user smoke

4. RBAC only view Secret names

This is NOT POSSIBLE using plain K8s RBAC. You might think of doing this:

# NOT POSSIBLE like this
k -n applications create role list-secrets --verb list --resource secrets
k -n applications create rolebinding...

Having the list verb you can simply run kubectl get secrets -oyaml and see all content. Dangerous misconfiguration!

5. Verify

# applications
k auth can-i create deployments --as smoke -n applications # YES
k auth can-i delete deployments --as smoke -n applications # YESk auth can-i delete pods --as smoke -n applications # YESk auth can-i delete sts --as smoke -n applications # YESk auth can-i delete secrets --as smoke -n applications # NOk auth can-i list deployments --as smoke -n applications # YESk auth can-i list secrets --as smoke -n applications # NO# view in all namespaces but not kube-system
k auth can-i list pods --as smoke -n default # YES
k auth can-i list pods --as smoke -n applications # YESk auth can-i list pods --as smoke -n kube-public # YESk auth can-i list pods --as smoke -n kube-node-lease # YESk auth can-i list pods --as smoke -n kube-system # NO

6. Verify as real User

Create user like done here.

k config use-context smokek get pods -n kube-system # NOk get pods -n applications # YESetc...

.

.

.

.

.

Least Privilege Principle (PoLP)

Only always assign the least privilege needed to SAs or Users. Be careful with using ClusterRoleBindings because these grant cluster-wide access and to all existing and future Namespaces.

Be fast with RBAC questions

Always use the kubectl commands to generate your roles and bindings. Don’t copy existing YAML from examples and try to make it work. The help pages show great examples.

You have a different solution?

Let us know by leaving a comment below!

— — — The END — — —

So much for this session. See you at the next one and happy learning!

Ready to join Killer Shell?

FULL CKS COURSE

LINK

…or the CKS SIMULATOR

https://killer.sh/cks

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in ITNEXT

ITNEXT is a platform for IT developers & software engineers to share knowledge, connect, collaborate, learn and experience next-gen technologies.

Written by Kim Wuestkamp

killercoda.com | killer.sh (CKS CKA CKAD Simulator) | Software Engineer, Infrastructure Architect, Certified Kubernetes

Responses (3)

Write a response