Hello learners, I am back with another blog. As we have seen in the last blogs how we can create the user in the Kubernetes cluster. Now It is time to attach a role with that user so that the user can access the resource as per the role.
Role and Rolebinding:-
In Kubernetes, roles and role bindings are used to define and manage access control within a cluster. Basically, they are essential components of the Kubernetes RBAC (Role-Based Access Control) mechanism. Now, we will see the role and rolebinding what they are exactly:-
Role:-
A role is a Kubernetes object that defines a set of permissions or rules. Basically, It specifies what types of operations are allowed on specific Kubernetes resources within a namespace. Roles are typically used to grant fine-grained access control to resources like pods, services, config maps, secrets, etc.
Roles are namespace-specific, which means they are limited to a particular namespace. They define permissions within that namespace only and do not extend across multiple namespaces. A role can contain multiple rules, each specifying a set of verbs (e.g., create, get, update, delete) and resources (e.g., pods, services) to which the rules apply.
RoleBinding:
A role binding is a Kubernetes object that binds a role to one or more subjects. It consists of a set of permissions defined by a role to a specific user, group, or service account. Role bindings enable users or entities to inherit the permissions defined by the associated role.
Components:-
A role binding consists of three main components:
- RoleRef: Specifies the role that is being bound to the subjects. It includes the role’s name and the API group to which it belongs.
- Subjects: Represents the users, groups, or service accounts to which the role is bound. Subjects can be defined using the subjects field in the role binding.
- Namespace: Specifies the namespace in which the role binding is valid. It determines the scope of the role binding within the cluster.
The combination of a role and role binding allows you to control access and assign permissions to specific resources in Kubernetes. By creating roles and binding them to subjects, you can enforce granular access controls and manage the privileges granted to different users or entities within the cluster.
In summary, roles define permissions for resources within a namespace, and role bindings associate those roles with specific users, groups, or service accounts. Together, they provide a flexible and secure way to manage access control in a Kubernetes cluster.
Role Creation:-
Now, we will see how to create the role and bind that role with the user which we have created:-
First of all, We will create a role. Create a role.yml file and copy the below content and paste it into your file:-
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
rules:
- apiGroups: [""]
verbs: ["get", "watch","list"]
resources: ["pods", "pods/log"]In this yaml, we have defined the pod-reader role which can list, watch and get the pods in the cluster. If you want to check the verbs of a service then you can run the below command:
kubectl api-resources -o wide | grep -i podsNow apply the yaml:-
kubectl apply -f role.yml
# To check the created role in the cluster.
kubectl get roles
You can also verify the yaml and command from the images.
Now it is time to attach the role to the created user and role binding comes into the picture. Create a role-binding.yml file and paste the below yaml file in it.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pod-reader-binding
subjects:
- kind: User
name: user-muzakkir
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.ioRun this command to apply this yaml:-
kubectl apply -f role-binding.ymlYou can also verify this in the below image:-
Now you can try to deploy the nginx pods with the admin user and switch the user to the newly created user with the below command:-
kubectl config use-context <backend-user-muzakkir>Now trying to apply or run the new pods. You will not be able to do it. You can just list, get and watch the pods with this user.
Basically, role binding is a process for the namespace means we can apply this on the namespace but suppose that we have thousands of the number of users so it is quite difficult to assign the role to all of them. So in that case we will use cluster role and cluster rolebinding. This topic we will cover in the next blogs. you can check on this link.
Conclusion:-
In this blog, we have seen how to create a role with different permission and then attached that role to the user which we have creates in the last blogs, and then run a few commands to verify the implementation. If you like my blog then you can like this or want to read more blogs then follow this link. You can also check out this official doc about the Kubernetes.
