ruk·si

☸️ Kubernetes
Roles and Verbs

Updated at 2024-03-01 11:14

Role-based Access Control (RBAC):

  • Cluster has service accounts, roles and role bindings.
  • Service accounts are entities who act on the cluster e.g. my-account.
  • Roles have permissions; e.g. my-admin-role can create pod objects.
  • Role bindings tell who has that role; e.g. my-account has my-admin-role.

Service accounts are a standard way of giving cluster permissions to programs that want to use the Kubernetes API.

Kubernetes used to automatically generate a token for the service account to use, but now you have to decide on the authentication yourself.

kubectl create serviceaccount my-service-account
kubectl get serviceaccounts my-service-account -o json

Check which authentication API version is enabled.

kubectl api-versions | grep rbac
# rbac.authorization.k8s.io/v1
# rbac.authorization.k8s.io/v1beta1

Role

kubectl apply -f - <<EOF
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: my-admin-role
  namespace: my-namespace
rules:

- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]

- apiGroups: [""]
  resources: ["pods"]
  verbs: ["*"]

- apiGroups: ["apps", "extensions"]
  resources: ["deployments", "deployments/rollback", "deployments/scale"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
EOF

Role Binding

kubectl create rolebinding my-admin-role-to-sa-binding \
    --role=my-admin-role \
    --serviceaccount=my-namespace:my-service-account \
    --namespace=my-namespace

Can I?

You can check if a service account has a certain permission.

kubectl auth can-i \
    'create' 'deployments' \
    --as=system:serviceaccount:my-namespace:my-service-account

Verbs

What kind of permissions you can give to a role depend on the cluster.

kubectl api-resources --sort-by name -o wide

Generally, Kubernetes objects have the following verbs:

# order: CRUD
create  # allow POST HTTP method for an object

get     # allow GET and HEAD HTTP methods for an object
list    # allow GET and HEAD HTTP methods for a list of objects
watch   # allow GET and HEAD HTTP methods for a watching

update  # allow PUT HTTP method for an object
patch   # allow PATCH HTTP method for an object

delete            # allow DELETE HTTP method for an object
deletecollection  # allow DELETE HTTP method for a list of objects

What they actually do depends on the object.