Labs: RBAC

In this lab we will cover:

  • Role and Rolebinding
  • User mapping

Lab1: Role and Rolebinding

kubectl create -f role.yaml
kubectl get roles
kubectl describe role pod-reader

kubectl create -f rolebind.yaml
 kubectl get rolebindings
 kubectl describe rolebindings read-pods

Lab 2: Test with user

#role and role binding testing
#Create a private key for your user. In this example, we will name the file employee.key:
openssl genrsa -out employee.key 2048
#Create a certificate sign request employee.csr using the private key you just created (employee.key in this example). Make sure you specify your username and group in the -subj section
openssl req -new -key employee.key -out employee.csr -subj "/CN=employee/O=test"
#Generate the final certificate employee.crt by approving the certificate sign request, employee.csr, you made earlier. Make sure you substitute the CA_LOCATION placeholder with the location of your cluster CA. In this example, the certificate will be valid for 500 days:
openssl x509 -req -in employee.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out employee.crt -days 500
kubectl config set-credentials employee --client-certificate=employee.crt --client-key=employee.key
#Add a new context with the new credentials for your Kubernetes cluster.
kubectl config set-context employee-context --cluster=kubernetes --namespace=default --user=employee
kubectl config get-contexts
kubectl config use-context employee-context
kubectl get pods
 kubectl delete pods <pod name>
#Change to admin
 kubectl config use-context kubernetes-admin@kubernetes

Lab 3: Clusterrole and Clusterrolebinding

kubectl create -f clusrole.yaml
kubectl get clusterroles
kubectl describe clusterroles secret-reader

kubectl create -f clusbinding.yaml
kubectl get clusterrolebindings
 kubectl describe clusterrolebindings read-secrets-global