Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to bind roles with service accounts - Kubernetes

I know there are a lot of similar questions but none of them has a solution as far as I have browsed. Coming to the issue, I have created a service account (using command), role (using .yaml file), role binding (using .yaml files). The role grants access only to the pods. But when I login into the dashboard (Token method) using the SA that the role is attached to, I'm able to view all the resources without any restrictions. Here are the file and commands used by me.

Role.yaml:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: assembly-prod
  name: testreadrole
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

RoleBinding.yaml

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: testrolebinding
  namespace: assembly-prod
subjects:
- kind: ServiceAccount
  name: testsa
  apiGroup: ""
roleRef:
  kind: Role
  name: testreadrole
  apiGroup: rbac.authorization.k8s.io

Command used to create service account: kubectl create serviceaccount <saname> --namespace <namespacename>

UPDATE: I create a service account and did not attach any kind of role to it. When I tried to login with this SA, It let me through and I was able to perform all kinds activities including deleting "secrets". So by default all SA are assuming admin access and that is the reason why my above roles are not working. Is this behavior expected, If yes then how can I change it?

like image 930
vishal Avatar asked Dec 16 '19 09:12

vishal


People also ask

What is role binding in Kubernetes?

A role binding grants the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups, or service accounts), and a reference to the role being granted. A RoleBinding grants permissions within a specific namespace whereas a ClusterRoleBinding grants that access cluster-wide.

How service account works in Kubernetes?

Kubernetes service accounts let you give an identity to your Pods, which can be used to: Authenticate Pods to the Kubernetes API server, allowing the Pods to read and manipulate Kubernetes API objects (for example, a CI/CD pipeline that deploys applications to your cluster).

Are service accounts namespace specific?

Service accounts are per namespace, so when done on a service account, any pods in that namespace that use this account will be affected by that setting.


3 Answers

Try the below steps

# create service account
kubectl create serviceaccount pod-viewer

# Create cluster role/role
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pod-viewer
rules:
- apiGroups: [""] # core API group
  resources: ["pods", "namespaces"]
  verbs: ["get", "watch", "list"]
---

# create cluster role binding
kubectl create clusterrolebinding pod-viewer \
  --clusterrole=pod-viewer \
  --serviceaccount=default:pod-viewer

# get service account secret
kubectl get secret | grep pod-viewer
pod-viewer-token-6fdcn   kubernetes.io/service-account-token   3      2m58s

# get token
kubectl describe secret pod-viewer-token-6fdcn
Name:         pod-viewer-token-6fdcn
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: pod-viewer
              kubernetes.io/service-account.uid: bbfb3c4e-2254-11ea-a26c-0242ac110009

Type:  kubernetes.io/service-account-token

Data
====
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InBvZC12aWV3ZXItdG9rZW4tNmZkY24iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoicG9kLXZpZXdlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImJiZmIzYzRlLTIyNTQtMTFlYS1hMjZjLTAyNDJhYzExMDAwOSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnBvZC12aWV3ZXIifQ.Pgco_4UwTCiOfYYS4QLwqgWnG8nry6JxoGiJCDuO4ZVDWUOkGJ3w6-8K1gGRSzWFOSB8E0l2YSQR4PB9jlc_9GYCFQ0-XNgkuiZBPvsTmKXdDvCNFz7bmg_Cua7HnACkKDbISKKyK4HMH-ShgVXDoMG5KmQQ_TCWs2E_a88COGMA543QL_BxckFowQZk19Iq8yEgSEfI9m8qfz4n6G7dQu9IpUSmVNUVB5GaEsaCIg6h_AXxDds5Ot6ngWUawvhYrPRv79zVKfAxYKwetjC291-qiIM92XZ63-YJJ3xbxPAsnCEwL_hG3P95-CNzoxJHKEfs_qa7a4hfe0k6HtHTWA
ca.crt:     1025 bytes
namespace:  7 bytes
```

Login to dashboard using the above token. you should see only pods and namespaces

[![Refer the below link][1]][1]


  [1]: https://i.stack.imgur.com/D9bDi.png
like image 51
P Ekambaram Avatar answered Nov 01 '22 08:11

P Ekambaram


Okay I've found the solution for this. The major issue was I'm running my cluster on Azure AKS, which I should have mentioned in the question but did not. It was my mistake. In Azure AKS, if rbac is not enabled during cluster creation, then there is no use of roles and role-bindings at all. All request to the api-server will be treated as requests from Admin. This was confirmed by Azure support too. So that was the reason my cluster-role-binding and roles didn't apply.

like image 41
vishal Avatar answered Nov 01 '22 09:11

vishal


I see that the .yamls you provided need some adjustments.

Role has wrong formatting after the rules part.

RoleBinding is missing namespace: after subjects:, and also is formatted wrongly.

Try something like this:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: assembly-prod
  name: testreadrole
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: testrolebinding
  namespace: assembly-prod
subjects:
  - kind: ServiceAccount
    name: testsa
    namespace: assembly-prod
roleRef:
  kind: Role
  name: testreadrole
  apiGroup: rbac.authorization.k8s.io

There is a very useful guide about Non-Privileged RBAC User Administration in Kubernetes where you can find more detailed info regarding this particular topic.

like image 31
Wytrzymały Wiktor Avatar answered Nov 01 '22 07:11

Wytrzymały Wiktor