Exercise
-
Make sure user thomas can list the Pods cluster wide
-
Make sure user thomas can create a port-forward on all the Pods in the dev Namespace
-
Make sure user thomas can create, list, get, update, delete the Deployments in the dev Namespace
-
Make sure user patrick can manage (all actions) the Deployment named www in the dev Namespace
-
Delete the Role / ClusterRole / RoleBinding / ClusterRoleBinding created as well as the dev Namespace.
Documentation
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- https://kubernetes.io/docs/reference/kubectl/generated/kubectl_auth/kubectl_auth_can-i/
Solution
- Make sure user thomas can list the Pods cluster wide
Start by creating a ClusterRole allowing to list the Pods in the entire cluster:
k create clusterrole list-pods --verb list --resource pods Associate the ClusterRole to thomas via a ClusterRoleBinding
k create clusterrolebinding thomas-list-pods --clusterrole list-pods --user thomasVerify:
k auth can-i list pods --as thomas
yes- Make sure user thomas can create a port-forward on all the Pods in the dev Namespace
First create the dev namespace
k create ns devCreate the Role:
k create role port-forward --verb create --resource pods/forward --namespace dev Associate the Role to thomas via a RoleBinding
k create rolebinding thomas-port-forward --role port-forward --user thomas --namespace devVerify:
k auth can-i create pods --subresource=forward --as thomas --namespace dev
yes- Make user user thomas can create, list, get, update, delete the Deployments in the dev Namespace
Create the Role:
k create role manage-deployment --verb create,list,get,update,delete --resource deployments.apps --namespace dev Associate the Role to thomas via a RoleBinding
k create rolebinding thomas-manage-deployment --role manage-deployment --user thomas --namespace devVerify:
k auth can-i create deployments.apps --as thomas --namespace dev
yes- Make sure user patrick can manage (all actions) the Deployment named www in the dev Namespace
Create a role that allows to manage the deployment named www:
k create role manage-www-deployment --verb="*" --resource=deployment.apps --resource-name=www -n devAssociate that role to user patrick:
k create rolebinding patrick-manage-www-deployment --user=patrick --role=manage-www-deployment -n devVerify:
k auth can-i "*" deploy/www --as patrick -n dev
yes- Delete the Role / ClusterRole / RoleBinding / ClusterRoleBinding created as well as the dev namespace.
k delete rolebinding patrick-manage-www-deployment thomas-manage-deployment thomas-port-forward
k delete role manage-www-deployment manage-deployment port-forward
k delete clusterrolebinding thomas-list-nodes
k delete clusterrole list-nodes
k delete ns dev