CKS Exam Series #9 RBAC v2
Kubernetes CKS Example Exam Question Series
#####################################
THIS CHALLENGE WON’T BE UPDATED HERE AND MOVED TO:
https://killercoda.com/killer-shell-cks
######################################
Content
- Create Cluster & Security Best Practices
- Pods, Secrets and ServiceAccounts
- Immutable Pods
- Crash that Apiserver & check logs
- ImagePolicyWebhook / AdmissionController
- Users and CertificateSigningRequests
- ServiceAccount Token Mounting
- Role Based Access Control (RBAC)
- Role Based Access Control (RBAC) v2
- Container Hardening
- NetworkPolicies (Default Deny + Allowlist)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
→ Check out the FULL CKS COURSE on Udemy ←
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rules!
- Be fast, avoid creating yaml manually from scratch
- Use only kubernetes.io/docs for help.
- Check our solution after you did yours. You probably have a better one!
Todays Task: RBAC
- Create Namespace
applications - User
smokeshould be allowed tocreateanddeletePods, Deployments and StatefulSets in Namespaceapplications - User
smokeshould haveviewpermissions (like the permissions of the default ClusterRole namedview) in all Namespaces but not inkube-system - User
smokeshould be allowed to see available Secrets in Namespaceapplications. Just Secret names, no data. - Verify everything using
kubectl auth can-i - Verify everything using an actual user
smokeby creating it like done here
.
.
.
.
.
Solution
alias k=kubectl1. Create Namespace
k create ns applications2. RBAC applications
k -n applications create role smoke --verb create,delete --resource pods,deployments,stsk -n applications create rolebinding smoke --role smoke --user smoke
3. RBAC view everywhere but not kube-system
As of now it’s not possible to create deny-RBAC in K8s, only allowing things.
k get ns # get all namespacesk -n applications create rolebinding smoke-view --clusterrole view --user smokek -n default create rolebinding smoke-view --clusterrole view --user smokek -n kube-node-lease create rolebinding smoke-view --clusterrole view --user smokek -n kube-public create rolebinding smoke-view --clusterrole view --user smoke
4. RBAC only view Secret names
This is NOT POSSIBLE using plain K8s RBAC. You might think of doing this:
# NOT POSSIBLE like this
k -n applications create role list-secrets --verb list --resource secretsk -n applications create rolebinding...
Having the list verb you can simply run kubectl get secrets -oyaml and see all content. Dangerous misconfiguration!
5. Verify
# applications
k auth can-i create deployments --as smoke -n applications # YESk auth can-i delete deployments --as smoke -n applications # YESk auth can-i delete pods --as smoke -n applications # YESk auth can-i delete sts --as smoke -n applications # YESk auth can-i delete secrets --as smoke -n applications # NOk auth can-i list deployments --as smoke -n applications # YESk auth can-i list secrets --as smoke -n applications # NO# view in all namespaces but not kube-system
k auth can-i list pods --as smoke -n default # YESk auth can-i list pods --as smoke -n applications # YESk auth can-i list pods --as smoke -n kube-public # YESk auth can-i list pods --as smoke -n kube-node-lease # YESk auth can-i list pods --as smoke -n kube-system # NO
6. Verify as real User
Create user like done here.
k config use-context smokek get pods -n kube-system # NOk get pods -n applications # YESetc...
.
.
.
.
.
Least Privilege Principle (PoLP)
Only always assign the least privilege needed to SAs or Users. Be careful with using ClusterRoleBindings because these grant cluster-wide access and to all existing and future Namespaces.
Be fast with RBAC questions
Always use the kubectl commands to generate your roles and bindings. Don’t copy existing YAML from examples and try to make it work. The help pages show great examples.
You have a different solution?
Let us know by leaving a comment below!
— — — The END — — —
So much for this session. See you at the next one and happy learning!
Ready to join Killer Shell?
FULL CKS COURSE
…or the CKS SIMULATOR
