Open in app

Sign up

Sign in

Write

Sign up

Sign in

ITNEXT

Home

Newsletter

About

Follow publication

ITNEXT

ITNEXT is a platform for IT developers & software engineers to share knowledge, connect…

Follow publication

CKS Exam Series #9 RBAC v2

Kim Wuestkamp
ITNEXT
Published in
4 min readFeb 21, 2021

CKS Exam Series | CKA Exam Series | CKAD Exam Series

#####################################

THIS CHALLENGE WON’T BE UPDATED HERE AND MOVED TO:

https://killercoda.com/killer-shell-cks

######################################

Content

  1. Create Cluster & Security Best Practices
  2. Pods, Secrets and ServiceAccounts
  3. Immutable Pods
  4. Crash that Apiserver & check logs
  5. ImagePolicyWebhook / AdmissionController
  6. Users and CertificateSigningRequests
  7. ServiceAccount Token Mounting
  8. Role Based Access Control (RBAC)
  9. Role Based Access Control (RBAC) v2
  10. Container Hardening
  11. NetworkPolicies (Default Deny + Allowlist)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

→ Check out the FULL CKS COURSE on Udemy ←

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rules!

  1. Be fast, avoid creating yaml manually from scratch
  2. Use only kubernetes.io/docs for help.
  3. Check our solution after you did yours. You probably have a better one!

Todays Task: RBAC

  1. Create Namespace applications
  2. User smoke should be allowed to create and delete Pods, Deployments and StatefulSets in Namespace applications
  3. User smoke should have view permissions (like the permissions of the default ClusterRole named view) in all Namespaces but not in kube-system
  4. User smoke should be allowed to see available Secrets in Namespace applications. Just Secret names, no data.
  5. Verify everything using kubectl auth can-i
  6. Verify everything using an actual user smoke by creating it like done here

.

.

.

.

.

Solution

alias k=kubectl

1. Create Namespace

k create ns applications

2. RBAC applications

k -n applications create role smoke --verb create,delete --resource pods,deployments,stsk -n applications create rolebinding smoke --role smoke --user smoke

3. RBAC view everywhere but not kube-system

As of now it’s not possible to create deny-RBAC in K8s, only allowing things.

k get ns # get all namespacesk -n applications create rolebinding smoke-view --clusterrole view --user smokek -n default create rolebinding smoke-view --clusterrole view --user smokek -n kube-node-lease create rolebinding smoke-view --clusterrole view --user smokek -n kube-public create rolebinding smoke-view --clusterrole view --user smoke

4. RBAC only view Secret names

This is NOT POSSIBLE using plain K8s RBAC. You might think of doing this:

# NOT POSSIBLE like this
k -n applications create role list-secrets --verb list --resource secretsk -n applications create rolebinding...

Having the list verb you can simply run kubectl get secrets -oyaml and see all content. Dangerous misconfiguration!

5. Verify

# applications
k auth can-i create deployments --as smoke -n applications # YESk auth can-i delete deployments --as smoke -n applications # YESk auth can-i delete pods --as smoke -n applications # YESk auth can-i delete sts --as smoke -n applications # YESk auth can-i delete secrets --as smoke -n applications # NOk auth can-i list deployments --as smoke -n applications # YESk auth can-i list secrets --as smoke -n applications # NO# view in all namespaces but not kube-system
k auth can-i list pods --as smoke -n default # YESk auth can-i list pods --as smoke -n applications # YESk auth can-i list pods --as smoke -n kube-public # YESk auth can-i list pods --as smoke -n kube-node-lease # YESk auth can-i list pods --as smoke -n kube-system # NO

6. Verify as real User

Create user like done here.

k config use-context smokek get pods -n kube-system # NOk get pods -n applications # YESetc...

.

.

.

.

.

Least Privilege Principle (PoLP)

Only always assign the least privilege needed to SAs or Users. Be careful with using ClusterRoleBindings because these grant cluster-wide access and to all existing and future Namespaces.

Be fast with RBAC questions

Always use the kubectl commands to generate your roles and bindings. Don’t copy existing YAML from examples and try to make it work. The help pages show great examples.

You have a different solution?

Let us know by leaving a comment below!

— — — The END — — —

So much for this session. See you at the next one and happy learning!

Ready to join Killer Shell?

FULL CKS COURSE

LINK

…or the CKS SIMULATOR

https://killer.sh/cks

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Sign up for free

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Try for $5/month
Security
Kubernetes
DevOps
Training
Certification

ITNEXT
ITNEXT
Follow

Published in ITNEXT

69K Followers
Last published 5 hours ago

ITNEXT is a platform for IT developers & software engineers to share knowledge, connect, collaborate, learn and experience next-gen technologies.

Follow
Kim Wuestkamp
Kim Wuestkamp
Follow

Written by Kim Wuestkamp

4K Followers
96 Following

killercoda.com | killer.sh (CKS CKA CKAD Simulator) | Software Engineer, Infrastructure Architect, Certified Kubernetes

Follow

Responses (3)

Write a response

What are your thoughts?

Darshan K. Doshi

Mar 31, 2023

Indeed an interesting one! What's the solution for #4 task (RBAC only view Secret names) ?

--

Rashmit Rathod

Apr 22, 2021 (edited)

I really liked this challenge with a twisted scenario i.e. allow view in all but not in kube-system. It has a power to shake one's confident if it comes in real exam(which I am sure/hope doesn't come) until they see the solution to realize 'Oww…

--

cks cks

Apr 15, 2021

Hey KIM. Inorder to list just the secret i need to add the below get verb?
- apiGroups:
- ""
resources:
- secrets
verbs:...

--

More from Kim Wuestkamp and ITNEXT

See all from Kim Wuestkamp
See all from ITNEXT

Recommended from Medium

See more recommendations

Teams