- Print
- PDF
Control cluster permissions
- Print
- PDF
Available in VPC
If you use ncp-iam-authenticator
to configure kubeconfig, there is no need to control permissions using the service account token.
For more information, see IAM authentication user management.
You can control permissions by changing token values in the kubeconfig file so that creation, deletion, and modification can only be done in certain namespaces.
The default kubeconfig authentication file provided by Ncloud Kubernetes Service has all permissions of the admin, so if the user uses a 3rd-party service such as Jenkins and GitHub Action, security problems may arise. You can prevent this problem by editing the kubeconfig file to limit the permissions to a minimum.
Change token value in the kubeconfig file
This example explains how to restrict cluster permissions by changing the token value in the kubeconfig file.
The following describes how to change the token value in the kubeconfig file.
Run the following commands in order to create a namespace and service account.
$ kubectl --kubeconfig $KUBE_CONFIG create ns hello-world
$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f - apiVersion: v1 kind: ServiceAccount metadata: name: hello-user namespace: hello-world EOF
Run the command shown below to add role and role binding, and download the kubeconfig configuration in the kubeconfig.yaml file.
$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: hello-world name: hello-role rules: - apiGroups: [""] resources: ["pods"] # Specify the object verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # Control the action --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: hello-world name: hello-rb subjects: - kind: ServiceAccount name: hello-user namespace: hello-world roleRef: kind: Role name: hello-role apiGroup: rbac.authorization.k8s.io EOF
- The permissions to be used are defined by the role's
resources
andverbs
. In the code example above, it is restricted to control only the pod resources in the namespace calledhello-world
.
- The permissions to be used are defined by the role's
Run the command shown below to create a service account secret.
$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f - apiVersion: v1 kind: Secret metadata: name: hello-user-default namespace: hello-world annotations: kubernetes.io/service-account.name: hello-user type: kubernetes.io/service-account-token EOF
NoteIn Kubernetes 1.24 or later, a default secret is not automatically created when a service account is created. If you are using a 1.24 or later version, you are required to create the relevant secret in Step 3. This step is not necessary in earlier versions where a default secret is automatically created.
Run the command shown below to check the service account token.
$ kubectl --kubeconfig $KUBE_CONFIG -n hello-world describe secret $(kubectl --kubeconfig $KUBE_CONFIG -n hello-world get secret | grep hello-user | awk '{print $1}')
Copy the downloaded kubeconfig.yaml file and save it as the kubeconfig-token.yaml file, and then delete the
client-certificate-data
andclient-key-data
values in theuser
part in the file as shown below.$ cp kubeconfig.yaml kubeconfig-token.yaml $ vi kubeconfig-token.yaml apiVersion: v1 clusters: ... users: - name: kubernetes-admin user:
Add the token information obtained in the previous step as the value for the
user
.$ cat kubeconfig-token.yaml apiVersion: v1 clusters: ... users: - name: kubernetes-admin user: token: eyJhbGciOiJSU... # Add the service account token
Check permission control
The following describes how to check if the permission control is working properly when calling Kubernetes API using the token, based on the kubeconfig-token.yaml file created in the process above.
Run the command shown below to declare
kubeconfig-token.yaml
as an environment variable.$ export KUBE_CONFIG_TOKEN=kubeconfig-token.yaml
Run the following commands individually to check if access is granted.
- Get pod object (access allowed)
$ kubectl --kubeconfig $KUBE_CONFIG_TOKEN -n hello-world get pod
- Get deployment object (access denied)
$ kubectl --kubeconfig $KUBE_CONFIG_TOKEN -n hello-world get deploy
- Get other namespaces (access denied)
$ kubectl --kubeconfig $KUBE_CONFIG_TOKEN get pod