Playing around with my MicroK8S i was thinking about restricting access to the default namespace. Why?
Every command adds something and so your default namespace gets polluted more and more and cleaning up might be a lot of work.
But:
There is neither a HOWTO nor some quickstart into this. Everything you can find is:
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
But after this very detailed article you know a lot of things, but for restricting the kubectl you are as smart as before.
One thing i learned in this article:
You do not have to use these YAML files - everything can be done with commands and their options (i do not like YAML, so this was a very important understanding for me).
At the end it is very easy:
and just test it with:export K8S_USER="ateamuser"
export NAMESPACE="ateam"
export BINDING="ateambinding"
export ROLE="ateamrole"
kubectl create namespace $NAMESPACE
kubectl label namespaces $NAMESPACE team=a
kubectl create clusterrole ateamrole --verb="*" --resource="*.*"
kubectl create rolebinding $BINDING --clusterrole=$ROLE --user=$K8S_USER -n $NAMESPACE
kubectl create serviceaccount $K8S_USER -n $NAMESPACE
kubectl describe sa $K8S_USER -n $NAMESPACE
So there is not a big script needed - but building these commands was really a hard job...root@zigbee:/home/ubuntu/kubernetes# kubectl get pods -n ateam --as=ateamuser
NAME READY STATUS RESTARTS AGE
web-96d5df5c8-cc9jv 1/1 Running 0 14m
root@zigbee:/home/ubuntu/kubernetes# kubectl get pods -n default --as=ateamuser
Error from server (Forbidden): pods is forbidden: User "ateamuser" cannot list resource "pods" in API group "" in the namespace "default"
If you want to know, how to restrict the kubectl on a remote computer, please write a comment.
One last remark: In microK8s you enable RBAC with the command
microk8s.enable rbac
Check this with
microk8s.status
microk8s is running
high-availability: no
datastore master nodes: 192.168.178.57:19001
datastore standby nodes: none
addons:
enabled:
dashboard # The Kubernetes dashboard
dns # CoreDNS
ha-cluster # Configure high availability on the current node
ingress # Ingress controller for external access
metrics-server # K8s Metrics Server for API access to service metrics
rbac # Role-Based Access Control for authorisation
disabled:
helm # Helm 2 - the package manager for Kubernetes
helm3 # Helm 3 - Kubernetes package manager
host-access # Allow Pods connecting to Host services smoothly
linkerd # Linkerd is a service mesh for Kubernetes and other frameworks
metallb # Loadbalancer for your Kubernetes cluster
registry # Private image registry exposed on localhost:32000
storage # Storage class; allocates storage from host directory
No comments:
Post a Comment