1. Inspect the environment and identify the authorization modes configured on the cluster.
Use the command kubectl describe pod kube-apiserver-controlplane -n kube-system and look for --authorization-mode.
2. How many roles exist in the default namespace?
Use the command kubectl get roles to list the available roles in the default namespace.
3. What are the resources the kube-proxy role in the kube-system namespace is given access to?
Run the command: kubectl describe role kube-proxy -n kube-system
4. Which account is the kube-proxy role assigned to?
A user dev-user is created. User’s details have been added to the kubeconfig file. Inspect the permissions granted to the user. Check if the user can list pods in the default namespace.
Use the --as dev-user option with kubectl to run commands as the dev-user.
Run the command: kubectl get pods --as dev-user
5. Create the necessary roles and role bindings required for the dev-user to create, list and delete pods in the default namespace.
Use the command kubectl create to create a role developer and rolebinding dev-user-binding in the default namespace.
o create a Role:- kubectl create role developer --namespace=default --verb=list,create,delete --resource=pods
To create a RoleBinding:- kubectl create rolebinding dev-user-binding --namespace=default --role=developer --user=dev-user
OR
Solution manifest file to create a role and rolebinding in the default namespace:
kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: developer rules: - apiGroups: [""] resources: ["pods"] verbs: ["list", "create","delete"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: dev-user-binding subjects: - kind: User name: dev-user apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: developer apiGroup: rbac.authorization.k8s.io
A set of new roles and role-bindings are created in the blue namespace for the dev-user. However, the dev-user is unable to get details of the dark-blue-app pod in the blue namespace. Investigate and fix the issue.
We have created the required roles and rolebindings, but something seems to be wrong.
New roles and role bindings are created in the blue namespace.
Check out the resourceNames configured on the role.
Add a new rule in the existing role developer to grant the dev-user permissions to create deployments in the blue namespace.
Remember to add api group "apps".
Use the command kubectl edit to add a new rule for user dev-user to grant permissions to create deployments in the blue namespace.
dit the developer role in the blue namespace to add a new rule under the rules section.
Append the below rule to the end of the file
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: developer namespace: blue rules: - apiGroups: - apps resourceNames: - dark-blue-app resources: - pods verbs: - get - watch - create - delete - apiGroups: - apps resources: - deployments verbs: - create
Cluster Role
For the first few questions of this lab, you would have to inspect the existing ClusterRoles and ClusterRoleBindings that have been created in this cluster.
How many ClusterRoles do you see defined in the cluster?
Run the command: kubectl get clusterroles --no-headers | wc -l or kubectl get clusterroles --no-headers -o json | jq '.items | length'
How many ClusterRoleBindings exist on the cluster?
Run the command: kubectl get clusterrolebindings --no-headers | wc -l or kubectl get clusterrolebindings --no-headers -o json | jq '.items | length'
A new user michelle joined the team. She will be focusing on the nodes in the cluster. Create the required ClusterRoles and ClusterRoleBindings so she gets access to the nodes.
Use the command kubectl create to create a clusterrole and clusterrolebinding for user michelle to grant access to the nodes.
After that test the access using the command kubectl auth can-i list nodes --as michelle.
Solution manifest file to create a clusterrole and clusterrolebinding for michelle user:
--- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: node-admin rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get", "watch", "list", "create", "delete"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: michelle-binding subjects: - kind: User name: michelle apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: node-admin apiGroup: rbac.authorization.k8s.io
michelle‘s responsibilities are growing and now she will be responsible for storage as well. Create the required ClusterRoles and ClusterRoleBindings to allow her access to Storage.
Get the API groups and resource names from command kubectl api-resources. Use the given spec:
Use the command kubectl create to create a new ClusterRole and ClusterRoleBinding.
Assign it correct resources and verbs.
After that test the access using the command kubectl auth can-i list storageclasses --as michelle.
--- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: storage-admin rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "watch", "list", "create", "delete"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "watch", "list", "create", "delete"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: michelle-storage-admin subjects: - kind: User name: michelle apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: storage-admin apiGroup: rbac.authorization.k8s.io
