Login
      Contents x
      Control cluster permissions
        • Print
        • PDF
        Contents

        Control cluster permissions

          • Print
          • PDF
          Article Summary

          Available in VPC

          Note

          If you use ncp-iam-authenticator to configure kubeconfig, there is no need to control permissions using the service account token.
          For more information, see IAM authentication user management.

          You can control permissions by changing token values in the kubeconfig file so that creation, deletion, and modification can only be done in certain namespaces.

          The default kubeconfig authentication file provided by Ncloud Kubernetes Service has all permissions of the admin, so if the user uses a 3rd-party service such as Jenkins and GitHub Action, security problems may arise. You can prevent this problem by editing the kubeconfig file to limit the permissions to a minimum.

          Change token value in the kubeconfig file

          This example explains how to restrict cluster permissions by changing the token value in the kubeconfig file.

          The following describes how to change the token value in the kubeconfig file.

          1. Run the following commands in order to create a namespace and service account.

            $ kubectl --kubeconfig $KUBE_CONFIG create ns hello-world

            $ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: hello-user
  namespace: hello-world
EOF

          2. Run the command shown below to add role and role binding, and download the kubeconfig configuration in the kubeconfig.yaml file.

            $ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: hello-world
  name: hello-role
rules:
- apiGroups: [""]
  resources: ["pods"] # Specify the object
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # Control the action 
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: hello-world
  name: hello-rb
subjects:
- kind: ServiceAccount
  name: hello-user
  namespace: hello-world
roleRef:
  kind: Role 
  name: hello-role
  apiGroup: rbac.authorization.k8s.io
EOF
            • The permissions to be used are defined by the role's resources and verbs. In the code example above, it is restricted to control only the pod resources in the namespace called hello-world.

          3. Run the command shown below to create a service account secret.

            $ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: hello-user-default
  namespace: hello-world
  annotations:
    kubernetes.io/service-account.name: hello-user
type: kubernetes.io/service-account-token
EOF
            Note

            In Kubernetes 1.24 or later, a default secret is not automatically created when a service account is created. If you are using a 1.24 or later version, you are required to create the relevant secret in Step 3. This step is not necessary in earlier versions where a default secret is automatically created.

          4. Run the command shown below to check the service account token.

            $ kubectl --kubeconfig $KUBE_CONFIG -n hello-world describe secret $(kubectl --kubeconfig $KUBE_CONFIG -n hello-world get secret | grep hello-user | awk '{print $1}')

          5. Copy the downloaded kubeconfig.yaml file and save it as the kubeconfig-token.yaml file, and then delete the client-certificate-data and client-key-data values in the user part in the file as shown below.

            $ cp kubeconfig.yaml kubeconfig-token.yaml
$ vi kubeconfig-token.yaml
apiVersion: v1
clusters:
...
users:
- name: kubernetes-admin
  user:

          6. Add the token information obtained in the previous step as the value for the user.

            $ cat kubeconfig-token.yaml
apiVersion: v1
clusters:
...
users:
- name: kubernetes-admin
  user:
    token: eyJhbGciOiJSU... # Add the service account token

          Check permission control

          The following describes how to check if the permission control is working properly when calling Kubernetes API using the token, based on the kubeconfig-token.yaml file created in the process above.

          1. Run the command shown below to declare kubeconfig-token.yaml as an environment variable.

            $ export KUBE_CONFIG_TOKEN=kubeconfig-token.yaml

          2. Run the following commands individually to check if access is granted.

            • Get pod object (access allowed)
            $ kubectl --kubeconfig $KUBE_CONFIG_TOKEN -n hello-world get pod
            • Get deployment object (access denied)
            $ kubectl --kubeconfig $KUBE_CONFIG_TOKEN -n hello-world get deploy
            • Get other namespaces (access denied)
            $ kubectl --kubeconfig $KUBE_CONFIG_TOKEN get pod
          Was this article helpful?
          What's Next
          Change password!
          Changing your password will log you out immediately. Use the new password to log back in.
          Change profile
          Success!
          First name must have atleast 2 characters. Numbers and special characters are not allowed.
          Last name must have atleast 1 characters. Numbers and special characters are not allowed.
          Enter a valid email
          Enter a valid password
          Your profile has been successfully updated.
          Logout