Manage Kubernetes Users

Intro

Permissions on a cluster are one of the first steps that you and your team are going to need to start working on a cluster and deploying applications to it. This is really important to avoid that an application consumes all the memory on the cluster or that an user shout down another users’ application that runs on the same cluster. To handle the permissions we are going to create a namespace to handle all the resources associated with a particular application, to do that just run the following command on the terminal

Copy 
1$ kubectl create namespace [MY_NAMESPACE]

Create ServiceAccount & Role

The ServiceAccount is the Kubernetes object that is going to be used for authentication and the Role is going to be used for authorization, to create those we are going to create two manifest files (yaml files) one for the ServiceAccount and one for the Role

Copy 
1# File: service_account.yml
2
3apiVersion: v1
4kind: ServiceAccount
5metadata:
6  name: [SERVICE_ACCOUNT_NAME]
7  namespace: [MY_NAMESPACE]

Note: Replace [SERVICE_ACCOUNT_NAME] with the name you want to use for the serviceaccount (for example developer) also replace [MY_NAMESPACE] with the name of the namespace you choose on the previous step

Then another manifest file is required for the Role lets see the content

Copy 
1# File: role.yml
2
3apiVersion: rbac.authorization.k8s.io/v1beta1
4kind: Role
5metadata:
6  namespace: [MY_NAMESPACE]
7  name: [ROLE_NAME]
8rules:
9- apiGroups: ["*"]
10  resources: ["*"]
11  verbs: ["*"]

Again modify [ROLE_NAME] with the name of the role (for example developers) and [MY_NAMESPACE] with the name of the namespace.

In this case we give the Role full access over the namespace but you can fully customize what actions (verbs “get”,“describe”,“list”,“watch”,“exec”) you want the role to have access to and over what resources.

Once you have those files you need to simply execute the following command (make sure to have the rights to execute those commands on the cluster)

Copy 
1$ kubectl apply -f ./service_account.yml ./role.yml

Create Associations

After creating the ServiceAccount and Role objects we need to create the association between both to do that we need to create the RoleBinding this will relate the Role with the ServiceAccount

Copy 
1# File: role_binding.yml
2
3apiVersion: rbac.authorization.k8s.io/v1
4kind: RoleBinding
5metadata:
6  name: [ROLE_BINDING_NAME]
7  namespace: [MY_NAMESPACE]
8roleRef:
9  kind: Role
10  name: [ROLE_NAME]
11  apiGroup: rbac.authorization.k8s.io
12subjects:
13- kind: ServiceAccount
14  namespace: [MY_NAMESPACE]
15  name: [SERVICE_ACCOUNT_NAME]

This will associate the role with the service account and give the necessary rights to access the cluster. You can associate the same role with multiple service accounts if you need.

Copy 
1$ kubectl apply -f role_binding.yml

Use cluster as new user

Finally we need to create the cluster on the developer’s machine to do that we need to obtain the token associated with the service account, you can do it with the following command:

Copy 
1$ kubectl get secrets -n [MY_NAMESPACE] | grep [SERVICE_ACCOUNT_NAME] | cut -d' ' -f1 | \
2    xargs kubectl describe secret -n [MY_NAMESPACE] | grep "token:" | tr -s ' ' | cut -d' ' -f2

Additionally you can pipe pbcopy (needs to be installed separately on your system) to automatically copy the result to your clipboard, otherwise copy the result of the last command.

Then you will need the cluster url in the following example I will show you how to obtain it from an AWS eks cluster:

Copy 
1$ AWS_PROFILE=[PROFILE_NAME] aws eks describe-cluster --name [CLUSTER_NAME]

Note: AWS_PROFILE is only required if you have more than one profile configured on your machine

From the output you need to copy the cluster endpoint.

If you have jq (https://stedolan.github.io/jq/) installed you can simply execute the following command:

Copy 
1$ AWS_PROFILE=[PROFILE_NAME] aws eks describe-cluster --name [CLUSTER_NAME] | \
2    jq ".cluster.endpoint"

Give cluster endpoint and the token obtained from the secret to the developer, and ask to execute the following commands on the developer’s machine

Copy 
1$ kubectl config set-credentials [CREDENTIAL_NAME] --token=[TOKEN]
2$ kubectl config set-cluster [CLUSTER_NAME] --server=[CLUSTER_ENDPOINT] --insecure-skip-tls-verify=true
3$ kubectl config set-context [CONTEXT_NAME] --cluster=[CLUSTER_NAME] --user=[CREDENTIAL_NAME] \
4    --namespace [MY_NAMESPACE]
5$ kubectl config use-context [CONTEXT_NAME]

That’s it now the developer can execute kubectl in the context of the cluster with the given rights