Authentication and Authorization
================================================
Authentication
- How to get login? Get into systems?
Certificate based - kube config
Token - joining nodes
Authorization -
- Node
- ABAC
- RBAC [ FOCUS ]
- Webhook
=================================================
Certificate based
How Certificate based authentication works?
# USER run these commands in Workstation
# Create a pvt key
$ openssl genrsa -out employee.key 2048
# Create CSR file
$ openssl req -new -key employee.key -out employee.csr -subj "/CN=employee/O=bitnami"
# How to send a CSR file to CA (Master Admin or K8s admin)
- Send via manual way eg. email
- csr api
# Admin run these commands in Workstation
$ openssl x509 -req -in employee.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out employee.crt -days 500
# Admin would send employee.crt to USER.
- Send via manual way eg. email
- csr api - they can download self
# USER would set employee.key & employee.crt in CONFIG file.
$ kubectl config set-credentials employee --client-certificate=/root/employee.crt --client-key=/root/employee.key
$ kubectl config view
$ kubectl config set-context employee-context --cluster=kubernetes --namespace=office --user=employee
$ kubectl config view
$ kubectl create namespace office
$ kubectl --context=employee-context get pods
[root@rajesh ~]# kubectl --context=employee-context get pods
Error from server (Forbidden): pods is forbidden: User "employee" cannot list resource "pods" in API group "" in the namespace "office"
# Only we have enabled employee authentication. He has no rights on K8s.
59 clear
60 kubectl create namespace office
61 kubectl --context=employee-context get pods
62 kubectl --context=employee-context get pods -n=office
63 kubectl get sa
64 kubectl get sa -n=office
65 clear
66 kubectl api-resources
67 kubectl api-resources | grep rbac
68 kubectl api-resources | grep exten
69 clear
70 kubectl get roles
71 kubectl get roles -n=office
72 cleaer
73 lsa
74 clear
75 ls
76 vi role.yaml
77 kubectl apply -f role.yaml
78 kubectl get roles
79 kubectl get roles -n=office
80 clear
81 vi rb.yaml
82 kubectl apply -f rb.yaml
83 kubectl get rolebinding -n=office
84 kubectl --context=employee-context run nginx --image=nginx
85 kubectl --context=employee-context get svc
86 kubectl --context=employee-context get pods
87 kubectl create sa deploy
88 kubectl get sa
===================================================================================
TYPES OF USERS in k8?
- SA ====> API Resources
- Normal User ====>
================================
Level Of Access
- Namespace
- Cluster level
Types of Access
-----------------------------------
get”, “list”, “watch”, “create”, “update”, “patch”, “delete”
What API Resources or Group access to be given?
=================================================
kubectl api-resources
RBAC
--------------------------
TYPE OF ROLES
- role -----> Giving access at Namespace
- clusterrole -----> Giving access at Cluster
USER|GROUP =====USING ROLEBINDING =======> ROLE == He would get namespace level
USER|GROUP ===USING CLUSTOER ROLEBINDING==> CLUSTERROLE == He would get Cluster level
Role
What Resources
What level
ClusterRole
What Resources
What level
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: office
name: deployment-manager
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: deployment-manager-binding
namespace: office
subjects:
- kind: User
name: employee
apiGroup: ""
roleRef:
kind: Role
name: deployment-manager
apiGroup: ""