Understanding Roles and RoleBindings in Kubernetes

Roles and RoleBindings are used to grant permission to users, groups, and service account within a specific namespace.

• Role:

  It defines a set of permissions within a namespace.

• RoleBinding:

  It binds a role to a user, group or service account.

Steps to create Role and RoleBindings for a user.

Prerequisites:

We should have kubectl installed and it is configured to interact with our Kubernetes cluster.

Step-1(Creating a Namespace):

We need to first create a namespace where we can deploy all kubernetes manifests(Deployment, configmap, secret, service, etc) related to a particular microservice. Namespace is basically used to segregate particular microservices with other where we can define their own set of resource-quotas, some network policy and others. We need to type below command to create dev namespace.

kubectl create namespace dev

Note: We can use 'ns' for namespace and 'k' for kubectl also as below mentioned, which will also create the namespace name dev.

k create ns dev

Step-2(Creating a Role):

A Role define the permissions within a namespace. I have defined a role named dev-role.yaml file for getting, listing, creating and deleting a pod, It means whoever users will be bound to the below role can list, get, create and delete pods within dev namespace.

apiVersion: rbac.authorization.k8s,io/v1
kind: Role
metadata:
  namespace: dev
  name: new-pod
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "create", "delete"]

Step-3:

Now we need to apply this role to the namespace by below command.

kubectl apply -f dev-role.yaml

Step-4(Creating a RoleBinding):

A RoleBinding grants the permission defined in a Role to the user within a namespace or we can say that it binds the role to the user defined in the rolebinding. Below is command to create a rolebinding (dev-rolebinding.yaml) for a user ravi who already has access to the cluster.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: new-po=d-rolebinding
  namespace: dev
subjects:
- kind: User
  name: ravi
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: new-pod
  apiGroup: rbac.authorization.k8s.io

Note:

Here I am assuming that user ravi already exists and has kubectl access configured with proper credentials, if not then we need to create and configure new users, by following the Kubernetes documentation.

Step-5:

Now we need to apply this role to the namespace by below command.

kubectl apply -f dev-rolebinding.yaml

Step-6(Testing the configuration):

Here we will verify that whether user ravi is able to get, list, create and delete the pods under dev namespace or not. For this first we will change the default context and then get into the new user context and then we will verify. Below is the command to switch context.

Below command will set context named ravi-context under kubeconfig file which is located at ~/.kube/config location.

kubectl config set-context ravi-context --namespace=dev --user=ravi --cluster=<cluster-name>

Below command will switch to the newly created context named ravi-context and now whatever command we will type it will show output as per newly added user ravi access.

kubectl config use-context ravi-context

Now whenever we will type below command we can get, create, list and delete the pods.

kubectl get pods

kubectl create -f some-podfile.yaml