본문 바로가기
IT 기술/k8s

[cka] Role Based Access Controls

by Geunny 2024. 7. 19.
반응형

1. Inspect the environment and identify the authorization modes configured on the cluster. Check the kube-apiserver settings.

 

controlplane ~ ➜  k describe pod -n kube-system kube-apiserver | grep author
      --authorization-mode=Node,RBAC

 

answer : Node,RBAC

 

2. How many roles exist in the default namespace?

controlplane ~ ➜  k get role
No resources found in default namespace.

 

answer : 0

 

3. How many roles exist in all namespaces together?

controlplane ~ ➜  k get role -A --no-headers | wc -l
12

answer : 12

 

4. What are the resources the kube-proxy role in the kube-system namespace is given access to?

controlplane ~ ➜  kubectl describe role kube-proxy -n kube-system
Name:         kube-proxy
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources   Non-Resource URLs  Resource Names  Verbs
  ---------   -----------------  --------------  -----
  configmaps  []                 [kube-proxy]    [get]

 

answer : configmaps

 

5. What actions can the kube-proxy role perform on configmaps?

 

answer : GET

 

6. Which of the following statements are true?

 

answer : kube-proxy role can get details of all configmap objects by the name kube-proxy only

GET 권한만 있기 때문.

 

7. Which account is the kube-proxy role assigned to?

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding

 

Using RBAC Authorization

Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within your organization. RBAC authorization uses the rbac.authorization.k8s.io API group to drive authorization decis

kubernetes.io

controlplane ~ ✖ kubectl describe rolebinding kube-proxy -n kube-system
Name:         kube-proxy
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  Role
  Name:  kube-proxy
Subjects:
  Kind   Name                                             Namespace
  ----   ----                                             ---------
  Group  system:bootstrappers:kubeadm:default-node-token

 

answer : Group  system:bootstrappers:kubeadm:default-node-token

 

8. A user dev-user is created. User's details have been added to the kubeconfig file. Inspect the permissions granted to the user. Check if the user can list pods in the default namespace. Use the --as dev-user option with kubectl to run commands as the dev-user.

 

controlplane ~ ➜  kubectl get pods --as dev-user
Error from server (Forbidden): pods is forbidden: User "dev-user" cannot list resource "pods" in API group "" in the namespace "default"

 

answer : dev-user does not have permissions to list pods

 

9. Create the necessary roles and role bindings required for the dev-user to create, list and delete pods in the default namespace. Use the given spec:

Role: developer 
Role Resources: pods 
Role Actions: list 
Role Actions: create 
Role Actions: delete 
RoleBinding: dev-user-binding 
RoleBinding: Bound to dev-user

vi role-and-binding.yaml

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: developer
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list", "create","delete"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dev-user-binding
subjects:
- kind: User
  name: dev-user
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: developer
  apiGroup: rbac.authorization.k8s.io
#####

controlplane ~ ➜  k apply -f role-and-binding.yaml
role.rbac.authorization.k8s.io/developer created
rolebinding.rbac.authorization.k8s.io/dev-user-binding created

 

 

10. A set of new roles and role-bindings are created in the blue namespace for the dev-user. However, the dev-user is unable to get details of the dark-blue-app pod in the blue namespace. Investigate and fix the issue. We have created the required roles and rolebindings, but something seems to be wrong.

 

controlplane ~ ➜  kubectl edit role developer -n blue
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: "2024-07-19T13:23:32Z"
  name: developer
  namespace: blue
  resourceVersion: "682"
  uid: 1150dbe1-9eaa-429b-aecb-b4430dbce767
rules:
- apiGroups:
  - ""
  resourceNames:
  - blue-app
  - dark-blue-app # 추가
  resources:
  - pods
  verbs:
  - get
  
  ...
  
controlplane ~ ✖ kubectl edit role developer -n blue
role.rbac.authorization.k8s.io/developer edited

 

11. Add a new rule in the existing role developer to grant the dev-user permissions to create deployments in the blue namespace. Remember to add api group "apps".

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: "2024-07-19T13:23:32Z"
  name: developer
  namespace: blue
  resourceVersion: "4359"
  uid: 1150dbe1-9eaa-429b-aecb-b4430dbce767
rules:
- apiGroups:
  - ""
  resourceNames:
  - blue-app
  - dark-blue-app
  resources:
  - pods
  verbs:
  - get
  - watch
  - create
  - delete
- apiGroups: ## 해당줄 포함 아래 내용 추가
  - apps
  resources:
  - deployments
  verbs:
  - create

'IT 기술 > k8s' 카테고리의 다른 글

[cka] Service Accounts  (0) 2024.07.28
[cka] Cluster Roles  (0) 2024.07.28
[cka] KubeConfig  (0) 2024.07.19
[cka] Certificates API  (0) 2024.07.19
[cka] View Certificate Details  (0) 2024.07.16

관련글

댓글

티스토리툴바