1. Inspect the environment and identify the authorization modes configured on the cluster.
Use the command kubectl describe pod kube-apiserver-controlplane -n kube-system
and look for --authorization-mode
.
2. How many roles exist in the default
namespace?
Use the command kubectl get roles
to list the available roles
in the default
namespace.
3. What are the resources the kube-proxy
role in the kube-system
namespace is given access to?
Run the command: kubectl describe role kube-proxy -n kube-system
4. Which account is the kube-proxy
role assigned to?
A user dev-user
is created. User’s details have been added to the kubeconfig
file. Inspect the permissions granted to the user. Check if the user can list pods in the default
namespace.
Use the --as dev-user
option with kubectl
to run commands as the dev-user
.
Run the command: kubectl get pods --as dev-user
5. Create the necessary roles and role bindings required for the dev-user
to create, list and delete pods in the default
namespace.
Use the command kubectl create
to create a role developer
and rolebinding dev-user-binding
in the default
namespace.
o create a Role:- kubectl create role developer --namespace=default --verb=list,create,delete --resource=pods
To create a RoleBinding:- kubectl create rolebinding dev-user-binding --namespace=default --role=developer --user=dev-user
OR
Solution manifest file to create a role and rolebinding in the default
namespace:
kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: developer rules: - apiGroups: [""] resources: ["pods"] verbs: ["list", "create","delete"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: dev-user-binding subjects: - kind: User name: dev-user apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: developer apiGroup: rbac.authorization.k8s.io
A set of new roles and role-bindings are created in the blue
namespace for the dev-user
. However, the dev-user
is unable to get details of the dark-blue-app
pod in the blue
namespace. Investigate and fix the issue.
We have created the required roles and rolebindings, but something seems to be wrong.
New roles and role bindings are created in the blue
namespace.
Check out the resourceNames
configured on the role.
Add a new rule in the existing role developer
to grant the dev-user
permissions to create deployments in the blue
namespace.
Remember to add api group "apps"
.
Use the command kubectl edit
to add a new rule for user dev-user
to grant permissions to create deployments in the blue
namespace.
dit the developer
role in the blue
namespace to add a new rule under the rules
section.
Append the below rule to the end of the file
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: developer namespace: blue rules: - apiGroups: - apps resourceNames: - dark-blue-app resources: - pods verbs: - get - watch - create - delete - apiGroups: - apps resources: - deployments verbs: - create
Cluster Role
For the first few questions of this lab, you would have to inspect the existing ClusterRoles
and ClusterRoleBindings
that have been created in this cluster.
How many ClusterRoles
do you see defined in the cluster?
Run the command: kubectl get clusterroles --no-headers | wc -l
or kubectl get clusterroles --no-headers -o json | jq '.items | length'
How many ClusterRoleBindings
exist on the cluster?
Run the command: kubectl get clusterrolebindings --no-headers | wc -l
or kubectl get clusterrolebindings --no-headers -o json | jq '.items | length'
A new user michelle
joined the team. She will be focusing on the nodes
in the cluster. Create the required ClusterRoles
and ClusterRoleBindings
so she gets access to the nodes
.
Use the command kubectl create
to create a clusterrole and clusterrolebinding for user michelle
to grant access to the nodes.
After that test the access using the command kubectl auth can-i list nodes --as michelle
.
Solution manifest file to create a clusterrole and clusterrolebinding for michelle
user:
--- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: node-admin rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get", "watch", "list", "create", "delete"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: michelle-binding subjects: - kind: User name: michelle apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: node-admin apiGroup: rbac.authorization.k8s.io
michelle
‘s responsibilities are growing and now she will be responsible for storage as well. Create the required ClusterRoles
and ClusterRoleBindings
to allow her access to Storage.
Get the API groups and resource names from command kubectl api-resources
. Use the given spec:
Use the command kubectl create
to create a new ClusterRole
and ClusterRoleBinding
.
Assign it correct resources
and verbs
.
After that test the access using the command kubectl auth can-i list storageclasses --as michelle
.
--- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: storage-admin rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "watch", "list", "create", "delete"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "watch", "list", "create", "delete"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: michelle-storage-admin subjects: - kind: User name: michelle apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: storage-admin apiGroup: rbac.authorization.k8s.io