k8s rbac role, rolebinding and testing

In AKS we can setup rbac for service acount. Let's create a service account and then  using the following yaml definition to setup it access to list pods. 


kubectl create serviceaccount pod-watcher -n dev

Next we will create a role that only allows this service account to list and watch pods in dev namespace, Role is reusable. 


apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev
  name: pod-reader-only
rules:
- apiGroups: [""] # The core API group
  resources: ["pods"]
  verbs: ["get", "list", "watch"] # No "delete", "create", or "update"


Here we can see the common apiGroups that you can use and please ensure you do not omit the (s) - plural as will NOT work

API GroupCommon Resources
"" (Core)pods, services, nodes, namespaces, configmaps, secrets, persistentvolumeclaims
appsdeployments, statefulsets, daemonsets, replicasets
batchjobs, cronjobs
networking.k8s.ioingresses, networkpolicies
autoscalinghorizontalpodautoscalers
storage.k8s.iostorageclasses, csinodes

for example, if we would like to specifiy that it can list cronjob, it will be like this 

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev
  name: pod-reader-cronjob-only
rules:
- apiGroups: ["batch"] # The batch API group
  resources: ["cronjobs"] # Plural here !!
  verbs: ["get", "list", "watch"] # No "delete", "create", or "update"

Next we will tied the user to the role using rolebinding as shown here. Please note, rolebinding won't check if the "roleRef" target let's say group exist or not. 

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods-binding
  namespace: dev
subjects:
- kind: ServiceAccount
  name: pod-watcher
  namespace: dev
roleRef:
  kind: Role
  name: pod-reader-only
  apiGroup: rbac.authorization.k8s.io

And to test it out we can use kubectl auth can-i command


# YES
kubectl auth can-i list pods --as system:serviceaccount:dev:pod-watcher  -n dev
# NO
kubectl auth can-i delete pods --as system:serviceaccount:dev:pod-watcher   -n dev

# YES

kubectl auth can-i list cronjob --as system:serviceaccount:dev:pod-watcher  -n dev

# NO 

kubectl auth can-i delete cronjob --as system:serviceaccount:dev:pod-watcher  -n dev












Comments

Post a Comment

Popular posts from this blog

vllm : Failed to infer device type

Trying to run vllm without gpu will typicaly lands you into this issue. To resolve this issue: we can use set these both. Setting one does not work for me. So i had to configure both settings below:- 1.  environment variable CUDA_VISIBLE_DEVICES = "" 2. in the command line, change to use device cpu and remove  tensor-parallel-size. For example, python3 -m vllm.entrypoints.openai.api_server --port 8080 --model deepseek-ai/DeepSeek-R1 --device cpu --trust-remote-code --max-model-len 4096" References https://docs.vllm.ai/en/latest/getting_started/troubleshooting.html#failed-to-infer-device-type
Read more

NodeJS: Error: spawn EINVAL in window for node version 20.20 and 18.20

Encounter this issue when running autorest (that uses nodejs).  I am using node version:  v18.20.2 After i revert to use node v18.12.0, then i was able to get my app to run without this error. Since i am working with Azure devops yaml, i was able to use the following to resolve my issue.  - task : NodeTool@0   inputs :     versionSource : 'spec'     versionSpec : '18.18.0'
Read more

android studio kotlin source is null error

Image
This org.jetbrains.kotlin.util.FileAnalysisException with a java.lang.IllegalArgumentException: source must not be null is a known issue that can sometimes occur with the Kotlin compiler. It seems to be related to how the compiler analyzes certain source code structures. When this happens, you need to go clean your project and do another rebuild.  For my case, I was trying to test out the databinding = true feature. 
Read more