☑️Day 43: Diving In RBAC, Generating Keys and Keys and Certificates in Kubernetes🚀

Kedar PattanshettiKedar Pattanshetti
4 min read

🔹Table of Contents :

  1. Introduction

  2. Why Use RBAC?

  3. Components of RBAC

    • Role

    • RoleBinding

    • ClusterRole and ClusterRoleBinding

  4. Generating Keys and Certificates

  5. Hands-On Practice with RBAC

    • Task 1: Creating a Role and RoleBinding

    • Task 2: Using ClusterRole and ClusterRoleBinding

  6. Real-Time Scenarios and Examples

1. Introduction

Role-Based Access Control (RBAC) in Kubernetes is a security mechanism that manages access permissions to Kubernetes resources. It ensures that only authorized users and services can perform specific actions on resources within the cluster.

2. Why Use RBAC?

  • Security: Helps control who can access and modify resources, ensuring the cluster's integrity.

  • Granular Control: Allows fine-grained access controls, defining permissions for each user or service.

  • Compliance: Fulfills regulatory requirements by restricting access to sensitive resources.

3. Components of RBAC

a. Role

  • Defines a set of permissions (verbs) for accessing specific resources (pods, services, etc.) within a namespace.

  • Example: A Role may allow a user to "get" or "list" pods in a namespace.

b. RoleBinding

  • Associates a Role with a user, group, or service account, granting them the permissions specified in the Role.

  • Works within the scope of a single namespace.

c. ClusterRole and ClusterRoleBinding

  • ClusterRole: Similar to Role but can be used across the entire cluster.

  • ClusterRoleBinding: Associates a ClusterRole with a user, group, or service account at the cluster level.

4. Generating Keys and Certificates

  • Keys and certificates are used for secure communication in Kubernetes.

  • Generating a Key:

    • Use OpenSSL or similar tools to generate a private key.

    • Example:

        openssl genpkey -algorithm RSA -out myprivatekey.key

  • Creating a Certificate Signing Request (CSR):

    • A CSR is required to generate a certificate signed by a Certificate Authority (CA).

    • Example:

        openssl req -new -key myprivatekey.key -out myrequest.csr

  • Generating a Certificate:

    • Use the CA to sign the CSR, creating a certificate.

    • Example:

        openssl x509 -req -in myrequest.csr -signkey myprivatekey.key -out mycertificate.crt

5. Hands-On Practice with RBAC

Task 1: Creating a Role and RoleBinding

  1. Step 1: Create a Role named pod-reader to allow "get" and "list" permissions on pods.

     apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   namespace: default
   name: pod-reader
 rules:
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["get", "list"]

    • Apply the Role using:

        kubectl apply -f pod-reader.yaml

  2. Step 2: Create a RoleBinding to assign this Role to a user.

     apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: read-pods
   namespace: default
 subjects:
 - kind: User
   name: "john"
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
   name: pod-reader
   apiGroup: rbac.authorization.k8s.io

    • Apply the RoleBinding using:

        kubectl apply -f read-pods.yaml

Task 2: Using ClusterRole and ClusterRoleBinding

  1. Step 1: Create a ClusterRole for accessing all pods across all namespaces.

     apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: cluster-pod-reader
 rules:
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["get", "list"]

    • Apply the ClusterRole using:

        kubectl apply -f cluster-pod-reader.yaml

  2. Step 2: Create a ClusterRoleBinding to assign the ClusterRole to a user.

     apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: cluster-read-pods
 subjects:
 - kind: User
   name: "john"
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
   name: cluster-pod-reader
   apiGroup: rbac.authorization.k8s.io

    • Apply the Cluster Role Binding using:

        kubectl apply -f cluster-read-pods.yaml

6. Real-Time Scenarios and Examples

  • Scenario 1: Granting Developers Limited Access: Allow a group of developers to view pods in a development namespace without giving them full administrative privileges.

  • Scenario 2: Securing Sensitive Resources: Use RBAC to ensure that only authorized personnel can access and modify production configurations.

  • Scenario 3: Automated DevOps Pipelines: Create service accounts with RBAC to run automated scripts with specific permissions for deployment.

Commands Recap

  • Create a Role:

      kubectl apply -f <role-file>.yaml

  • Create a RoleBinding:

      kubectl apply -f <rolebinding-file>.yaml

  • View Roles:

      kubectl get roles -n <namespace>

  • View RoleBindings:

      kubectl get rolebindings -n <namespace>

  • Generate a Key:

      openssl genpkey -algorithm RSA -out myprivatekey.key

  • Create a CSR:

      openssl req -new -key myprivatekey.key -out myrequest.csr

  • Generate a Certificate:

      openssl x509 -req -in myrequest.csr -signkey myprivatekey.key -out mycertificate.crt

🚀Thanks for joining me on Day 43! Let’s keep learning and growing together!

Happy Learning! 😊

#90DaysOfDevOps

💡
Follow for more updates on LinkedIn , Github and Twitter(X)
10
Subscribe to my newsletter

Read articles from Kedar Pattanshetti directly inside your inbox. Subscribe to the newsletter, and don't miss out.

DevopsDevops articlesDevOps Journey#DevopscommunityDockerdocker imagesKubernetesrbacclusterTrainWithShubham#TWS#shubhamLondhe#90daysofdevops#90daysofdevops chanllenge#90daysofdevopschallenge

Written by

Kedar Pattanshetti
Kedar Pattanshetti