Exercise
Make sure user thomas can list the Pods cluster wide
Make sure user thomas can create a port-forward on all the Pods in the dev Namespace
Make sure user thomas can create, list, get, update, delete the Deployments in the dev Namespace
Make sure user patrick can manage (all actions) the Deployment named www in the dev Namespace
Delete the Role / ClusterRole / RoleBinding / ClusterRoleBinding created as well as the dev Namespace.
Documentation
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- https://kubernetes.io/docs/reference/kubectl/generated/kubectl_auth/kubectl_auth_can-i/
Solution
- Make sure user thomas can list the Pods cluster wide
Start by creating a ClusterRole allowing to list the Pods in the entire cluster:
k create clusterrole list-pods --verb list --resource pods Associate the ClusterRole to thomas via a ClusterRoleBinding
k create clusterrolebinding thomas-list-pods --clusterrole list-pods --user thomasVerify:
k auth can-i list pods --as thomas
yes- Make sure user thomas can create a port-forward on all the Pods in the dev Namespace
First create the dev namespace
k create ns devCreate the Role:
k create role port-forward --verb create --resource pods/forward --namespace dev Associate the Role to thomas via a RoleBinding
k create rolebinding thomas-port-forward --role port-forward --user thomas --namespace devVerify:
k auth can-i create pods --subresource=forward --as thomas --namespace dev
yes- Make user user thomas can create, list, get, update, delete the Deployments in the dev Namespace
Create the Role:
k create role manage-deployment --verb create,list,get,update,delete --resource deployments.apps --namespace dev Associate the Role to thomas via a RoleBinding
k create rolebinding thomas-manage-deployment --role manage-deployment --user thomas --namespace devVerify:
k auth can-i create deployments.apps --as thomas --namespace dev
yes- Make sure user patrick can manage (all actions) the Deployment named www in the dev Namespace
Create a role that allows to manage the deployment named www:
k create role manage-www-deployment --verb="*" --resource=deployment.apps --resource-name=www -n devAssociate that role to user patrick:
k create rolebinding patrick-manage-www-deployment --user=patrick --role=manage-www-deployment -n devVerify:
k auth can-i "*" deploy/www --as patrick -n dev
yes- Delete the Role / ClusterRole / RoleBinding / ClusterRoleBinding created as well as the dev namespace.
k delete rolebinding patrick-manage-www-deployment thomas-manage-deployment thomas-port-forward
k delete role manage-www-deployment manage-deployment port-forward
k delete clusterrolebinding thomas-list-nodes
k delete clusterrole list-nodes
k delete ns dev