Control cluster permissions

Prev Next

Available in VPC

Note

If you use ncp-iam-authenticator to configure kubeconfig, there is no need to control permissions using the ServiceAccount token.
For more information, see IAM authentication user management.

The kubeconfig authentication file provided by Kubernetes Service operates through ncp-iam-authenticator, so if the user uses a 3rd-party service such as Jenkins or GitHub Action, some inconvenience may occur. This authentication file grants the user's cluster permissions to the targeted 3rd-party service, which can potentially lead to security issues. To avoid this, you can improve security by creating a kubeconfig authentication file using tokens and minimizing permissions to grant only the necessary permissions.

Change token value in the kubeconfig file

This example explains how to restrict cluster permissions by changing the token value in the kubeconfig file.

The following describes how to change the token value in the kubeconfig file.

  1. Run the following commands in order to create a Namespace and Service Account.

    $ kubectl --kubeconfig $KUBE_CONFIG create ns hello-world

    $ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: hello-user
  namespace: hello-world
EOF

  2. Run the command shown below to add Role and Role Binding.

    $ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: hello-world
  name: hello-role
rules:
- apiGroups: [""]
  resources: ["pods"] # Specify the object
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # Control the action 
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: hello-world
  name: hello-rb
subjects:
- kind: ServiceAccount
  name: hello-user
  namespace: hello-world
roleRef:
  kind: Role 
  name: hello-role
  apiGroup: rbac.authorization.k8s.io
EOF
    • The permissions to be used are defined by the Role's resources and verbs. In the code example above, it is restricted to control only the Pod resources in the Namespace called hello-world.

  3. Run the command shown below to create a Service Account Secret.

    $ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: hello-user-default
  namespace: hello-world
  annotations:
    kubernetes.io/service-account.name: hello-user
type: kubernetes.io/service-account-token
EOF
    Note

    In Kubernetes 1.24 or later, a default secret is not automatically created when a Service Account is created. If you are using a 1.24 or later version, you are required to create the relevant secret in Step 3. This step is not necessary in earlier versions where a default secret is automatically created.

  4. Run the command shown below to check the Service Account token.

    $ kubectl --kubeconfig $KUBE_CONFIG -n hello-world describe secret $(kubectl --kubeconfig $KUBE_CONFIG -n hello-world get secret | grep hello-user | awk '{print $1}')

  5. Create a kubeconfig file for your cluster with ncp-iam-authenticator.

  6. Copy the created kubeconfig file and save it as the kubeconfig-token.yaml file, and then delete the client-certificate-data and client-key-data values in the user part in the file as shown below.

    $ cp kubeconfig.yaml kubeconfig-token.yaml
$ vi kubeconfig-token.yaml
apiVersion: v1
clusters:
...
users:
- name: kubernetes-admin
  user:

  7. Add the token information obtained in the previous step as the value for the user as follows:

    $ cat kubeconfig-token.yaml
apiVersion: v1
clusters:
...
users:
- name: kubernetes-admin
  user:
    token: eyJhbGciOiJSU... # Add the Service Account Token

Check permission control

The following describes how to check if the permission control is working properly when calling Kubernetes API using the token, based on the kubeconfig-token.yaml file created in the process above.

  1. Run the command shown below to declare kubeconfig-token.yaml as an environment variable.

    $ export KUBE_CONFIG_TOKEN=kubeconfig-token.yaml

  2. Run the following commands individually to check if access is granted.

    • Get Pod object (access allowed)
    $ kubectl --kubeconfig $KUBE_CONFIG_TOKEN -n hello-world get pod
    • Get Deployment object (access denied)
    $ kubectl --kubeconfig $KUBE_CONFIG_TOKEN -n hello-world get deploy
    • Get other Namespaces (access denied)
    $ kubectl --kubeconfig $KUBE_CONFIG_TOKEN get pod
Business Registration Number: 129-86-31394 E-commerce Permit Number:No. 2009-GyeonggiSeongnam-0510
CEO: Kim Yuwon Address: NAVER Green Factory 17th–26th Floors, Buljeong-ro 6, Bundang-gu, Seongnam-si, Gyeonggi-do 13561, Republic of Korea. Customer Support Number: 1544-5876
© NAVER Cloud Corp. All Rights Reserved.