- Print
- PDF
Using control cluster permissions
- Print
- PDF
Available in Classic
Control cluster permissions
Ncloud Kubernetes Service’s kubeconfig.yaml
file has admin permissions, so it may cause security issues when you use third party services such as Jenkins and GitHub Actions. Please use this service with limited permissions for security reasons.
Preparation
- You need a running cluster, and need to install kubectl and set environment variables.
- For how to create a cluster, refer to Create clusters.
- For how to install kubectl and set environment variables, refer to Install kubectl.
Create service account, role and role binding
Add namespace
Create a namespace for testing.
$ kubectl --kubeconfig $KUBE_CONFIG create ns hello-world
Add service account
$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
name: hello-user
namespace: hello-world
EOF
Add role and role binding
Define permissions to use in resources
and verbs
of a role. The following example allows a namespace named hello-world
to control the pod
resource only.
$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: hello-world
name: hello-role
rules:
- apiGroups: [""]
resources: ["pods"] # Specify an object.
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # Control actions.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: hello-world
name: hello-rb
subjects:
- kind: ServiceAccount
name: hello-user
namespace: hello-world
roleRef:
kind: Role
name: hello-role
apiGroup: rbac.authorization.k8s.io
EOF
Check service account token
$ kubectl --kubeconfig $KUBE_CONFIG -n hello-world describe secret $(kubectl --kubeconfig $KUBE_CONFIG -n hello-world get secret | grep hello-user2 | awk '{print $1}')
Name: hello-user-token-6zjw7
Namespace: hello-world
Labels: <none>
Annotations: kubernetes.io/service-account.name: hello-user
kubernetes.io/service-account.uid: 9546d5be-1b27-11ea-8845-f220cdab2dde
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1029 bytes
namespace: 11 bytes
token: eyJhbGciOiJSU...
Create kubeconfig-token.yaml
using token-based authentication
Copy the contents of the downloaded kubeconfig.yaml
into kubeconfig-token.yaml
, and delete client-certificate-data
and client-key-data
from user
in kubeconfig-token.yaml
.
$ cp kubeconfig.yaml kubeconfig-token.yaml
$ vi kubeconfig-token.yaml
apiVersion: v1
clusters:
...
users:
- name: kubernetes-admin
user:
client-key-data: LS0tLS1CRUdJTiBDRV...
client-certificate-data: LS0tLS1CRUdJTiB...
Add the token you checked in the previous step to user
as shown below.
$ cat kubeconfig-token.yaml
apiVersion: v1
clusters:
...
users:
- name: kubernetes-admin
user:
token: eyJhbGciOiJSU... # Service Account Token 추가
Check permissions
When making a Kubernetes API call using the token, check if permissions are successfully restricted.
- Declare
kubeconfig-token.yaml
with an environment variable.
$ export KUBE_CONFIG_TOKEN=kubeconfig-token.yaml
- Get pod object (access allowed)
$ kubectl --kubeconfig $KUBE_CONFIG_TOKEN -n hello-world get pod
No resources found in hello-world namespace.
- Get deployment object (access denied)
$ kubectl --kubeconfig $KUBE_CONFIG_TOKEN -n hello-world get deploy
Error from server (Forbidden): deployments.extensions is forbidden: User "system:serviceaccount:hello-world:hello-user" cannot list resource "deployments" in API group "extensions" in the namespace "hello-world"
- Get other namespaces (access denied)
$ kubectl --kubeconfig $KUBE_CONFIG_TOKEN get pod
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:hello-world:hello-user" cannot list resource "pods" in API group "" in the namespace "default"