Authentication and Authorization
================================================
Authentication
- How to get login? Get into systems?
		Certificate based - kube config
		Token	 - joining nodes

Authorization - 
- Node
- ABAC
- RBAC [ FOCUS ]
- Webhook
=================================================
Certificate based
How Certificate based authentication works?


# USER run these commands in Workstation
# Create a pvt key
$ openssl genrsa -out employee.key 2048

# Create CSR file
$ openssl req -new -key employee.key -out employee.csr -subj "/CN=employee/O=bitnami"

# How to send a CSR file to CA (Master Admin or K8s admin)
- Send via manual way eg. email
- csr api

# Admin run these commands in Workstation
$ openssl x509 -req -in employee.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out employee.crt -days 500

# Admin would send employee.crt to USER.
- Send via manual way eg. email 
- csr api - they can download self

# USER would set employee.key & employee.crt in CONFIG file.

$ kubectl config set-credentials employee --client-certificate=/root/employee.crt  --client-key=/root/employee.key

$ kubectl config view

$ kubectl config set-context employee-context --cluster=kubernetes --namespace=office --user=employee

$ kubectl config view

$ kubectl create namespace office

$ kubectl --context=employee-context get pods

[root@rajesh ~]# kubectl --context=employee-context get pods
Error from server (Forbidden): pods is forbidden: User "employee" cannot list resource "pods" in API group "" in the namespace "office"
# Only we have enabled employee authentication. He has no rights on K8s.

Code language: JavaScript (javascript)

  59  clear
   60  kubectl create namespace office
   61  kubectl --context=employee-context get pods
   62  kubectl --context=employee-context get pods -n=office
   63  kubectl get sa
   64  kubectl get sa -n=office
   65  clear
   66  kubectl api-resources
   67  kubectl api-resources | grep rbac
   68  kubectl api-resources | grep exten
   69  clear
   70  kubectl get roles
   71  kubectl get roles -n=office
   72  cleaer
   73  lsa
   74  clear
   75  ls
   76  vi role.yaml
   77  kubectl apply -f role.yaml
   78  kubectl get roles
   79  kubectl get roles -n=office
   80  clear
   81  vi rb.yaml
   82  kubectl apply -f rb.yaml
   83  kubectl  get rolebinding -n=office
   84  kubectl --context=employee-context run nginx --image=nginx
   85  kubectl --context=employee-context get svc
   86  kubectl --context=employee-context get pods
   87  kubectl create sa deploy
   88  kubectl get sa
Code language: JavaScript (javascript)

===================================================================================
TYPES OF USERS in k8?
- SA		====> API Resources
- Normal User  ====> 

================================
Level Of Access
- Namespace
- Cluster level

Types of Access
-----------------------------------
get”, “list”, “watch”, “create”, “update”, “patch”, “delete”

What API Resources or Group access to be given?
=================================================
kubectl api-resources

RBAC
--------------------------

TYPE OF ROLES
- role		-----> Giving access at Namespace
- clusterrole 	-----> Giving access at Cluster


USER|GROUP =====USING ROLEBINDING =======> ROLE == He would get namespace level
USER|GROUP ===USING CLUSTOER ROLEBINDING==> CLUSTERROLE == He would get Cluster level

Role
	What Resources
	What level

ClusterRole
	What Resources
	What level


kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: office
  name: deployment-manager
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]


kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: deployment-manager-binding
  namespace: office
subjects:
- kind: User
  name: employee
  apiGroup: ""
roleRef:
  kind: Role
  name: deployment-manager
  apiGroup: ""
Code language: JavaScript (javascript)