Using control cluster permissions

Article Summary

Share feedback

Thanks for sharing your feedback!

Available in Classic

Control cluster permissions

Ncloud Kubernetes Service’s kubeconfig.yaml file has admin permissions, so it may cause security issues when you use third party services such as Jenkins and GitHub Actions. Please use this service with limited permissions for security reasons.

Preparation

You need a running cluster, and need to install kubectl and set environment variables.
For how to create a cluster, refer to Create clusters.
For how to install kubectl and set environment variables, refer to Install kubectl.

Create service account, role and role binding

Add namespace

Create a namespace for testing.

$ kubectl --kubeconfig $KUBE_CONFIG create ns hello-world

Add service account

$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: hello-user
  namespace: hello-world
EOF

Add role and role binding

Define permissions to use in resources and verbs of a role. The following example allows a namespace named hello-world to control the pod resource only.

$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: hello-world
  name: hello-role
rules:
- apiGroups: [""]
  resources: ["pods"] # Specify an object.
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # Control actions. 
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: hello-world
  name: hello-rb
subjects:
- kind: ServiceAccount
  name: hello-user
  namespace: hello-world
roleRef:
  kind: Role 
  name: hello-role
  apiGroup: rbac.authorization.k8s.io
EOF

Check service account token

$ kubectl --kubeconfig $KUBE_CONFIG -n hello-world describe secret $(kubectl --kubeconfig $KUBE_CONFIG -n hello-world get secret | grep hello-user2 | awk '{print $1}')
Name:         hello-user-token-6zjw7
Namespace:    hello-world
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: hello-user
              kubernetes.io/service-account.uid: 9546d5be-1b27-11ea-8845-f220cdab2dde

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1029 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSU...

Create `kubeconfig-token.yaml` using token-based authentication

Copy the contents of the downloaded kubeconfig.yaml into kubeconfig-token.yaml, and delete client-certificate-data and client-key-data from user in kubeconfig-token.yaml.

$ cp kubeconfig.yaml kubeconfig-token.yaml
$ vi kubeconfig-token.yaml
apiVersion: v1
clusters:
...
users:
- name: kubernetes-admin
  user:
    client-key-data:  LS0tLS1CRUdJTiBDRV...
    client-certificate-data: LS0tLS1CRUdJTiB...

Add the token you checked in the previous step to user as shown below.

$ cat kubeconfig-token.yaml
apiVersion: v1
clusters:
...
users:
- name: kubernetes-admin
  user:
    token:  eyJhbGciOiJSU... # Service Account Token 추가

Check permissions

When making a Kubernetes API call using the token, check if permissions are successfully restricted.

Declare kubeconfig-token.yaml with an environment variable.

$ export KUBE_CONFIG_TOKEN=kubeconfig-token.yaml

Get pod object (access allowed)

$ kubectl --kubeconfig $KUBE_CONFIG_TOKEN -n hello-world get pod
No resources found in hello-world namespace.

Get deployment object (access denied)

$ kubectl --kubeconfig $KUBE_CONFIG_TOKEN -n hello-world get deploy
Error from server (Forbidden): deployments.extensions is forbidden: User "system:serviceaccount:hello-world:hello-user" cannot list resource "deployments" in API group "extensions" in the namespace "hello-world"

Get other namespaces (access denied)

$ kubectl --kubeconfig $KUBE_CONFIG_TOKEN get pod
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:hello-world:hello-user" cannot list resource "pods" in API group "" in the namespace "default"

Was this article helpful?

What's Next

Using Helm

Table of contents

Control cluster permissions