Kubernetes Cluster Roles and RoleBindings
Kubernetes Cluster Roles and Cluste RoleBindings
Cluster Roles and Cluster Role Bindings
If we notice, user pradeep still can’t get the nodes information. It is becuase, he still does not have access to resources at the cluster scope.
pradeep@learnk8s$ kubectl get nodes
Error from server (Forbidden): nodes is forbidden: User "pradeep" cannot list resource "nodes" in API group "" at the cluster scope
To get this access, we need to create a Cluste role and Cluste role binding.
pradeep@learnk8s$ kubectl config use-context k8s
Switched to context "k8s".
pradeep@learnk8s$ kubectl create clusterrole pradeep-cluster --verb=get,list,watch, --resource=nodes
Warning: '' is not a standard resource verb
clusterrole.rbac.authorization.k8s.io/pradeep-cluster created
Get all available clusterroles. There are many but we can see our newly created clusterrole pradeep-cluster.
pradeep@learnk8s$ kubectl get clusterrole
NAME CREATED AT
admin 2022-02-15T06:57:58Z
cluster-admin 2022-02-15T06:57:58Z
edit 2022-02-15T06:57:58Z
kindnet 2022-02-15T06:58:03Z
kubeadm:get-nodes 2022-02-15T06:58:01Z
pradeep-cluster 2022-02-17T07:33:43Z
system:aggregate-to-admin 2022-02-15T06:57:58Z
system:aggregate-to-edit 2022-02-15T06:57:58Z
system:aggregate-to-view 2022-02-15T06:57:58Z
system:auth-delegator 2022-02-15T06:57:58Z
system:basic-user 2022-02-15T06:57:58Z
system:certificates.k8s.io:certificatesigningrequests:nodeclient 2022-02-15T06:57:58Z
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 2022-02-15T06:57:58Z
system:certificates.k8s.io:kube-apiserver-client-approver 2022-02-15T06:57:58Z
system:certificates.k8s.io:kube-apiserver-client-kubelet-approver 2022-02-15T06:57:58Z
system:certificates.k8s.io:kubelet-serving-approver 2022-02-15T06:57:58Z
system:certificates.k8s.io:legacy-unknown-approver 2022-02-15T06:57:58Z
system:controller:attachdetach-controller 2022-02-15T06:57:58Z
system:controller:certificate-controller 2022-02-15T06:57:58Z
system:controller:clusterrole-aggregation-controller 2022-02-15T06:57:58Z
system:controller:cronjob-controller 2022-02-15T06:57:58Z
system:controller:daemon-set-controller 2022-02-15T06:57:58Z
system:controller:deployment-controller 2022-02-15T06:57:58Z
system:controller:disruption-controller 2022-02-15T06:57:58Z
system:controller:endpoint-controller 2022-02-15T06:57:58Z
system:controller:endpointslice-controller 2022-02-15T06:57:58Z
system:controller:endpointslicemirroring-controller 2022-02-15T06:57:58Z
system:controller:ephemeral-volume-controller 2022-02-15T06:57:58Z
system:controller:expand-controller 2022-02-15T06:57:58Z
system:controller:generic-garbage-collector 2022-02-15T06:57:58Z
system:controller:horizontal-pod-autoscaler 2022-02-15T06:57:58Z
system:controller:job-controller 2022-02-15T06:57:58Z
system:controller:namespace-controller 2022-02-15T06:57:58Z
system:controller:node-controller 2022-02-15T06:57:58Z
system:controller:persistent-volume-binder 2022-02-15T06:57:58Z
system:controller:pod-garbage-collector 2022-02-15T06:57:58Z
system:controller:pv-protection-controller 2022-02-15T06:57:58Z
system:controller:pvc-protection-controller 2022-02-15T06:57:58Z
system:controller:replicaset-controller 2022-02-15T06:57:58Z
system:controller:replication-controller 2022-02-15T06:57:58Z
system:controller:resourcequota-controller 2022-02-15T06:57:58Z
system:controller:root-ca-cert-publisher 2022-02-15T06:57:58Z
system:controller:route-controller 2022-02-15T06:57:58Z
system:controller:service-account-controller 2022-02-15T06:57:58Z
system:controller:service-controller 2022-02-15T06:57:58Z
system:controller:statefulset-controller 2022-02-15T06:57:58Z
system:controller:ttl-after-finished-controller 2022-02-15T06:57:58Z
system:controller:ttl-controller 2022-02-15T06:57:58Z
system:coredns 2022-02-15T06:58:01Z
system:discovery 2022-02-15T06:57:58Z
system:heapster 2022-02-15T06:57:58Z
system:kube-aggregator 2022-02-15T06:57:58Z
system:kube-controller-manager 2022-02-15T06:57:58Z
system:kube-dns 2022-02-15T06:57:58Z
system:kube-scheduler 2022-02-15T06:57:58Z
system:kubelet-api-admin 2022-02-15T06:57:58Z
system:monitoring 2022-02-15T06:57:58Z
system:node 2022-02-15T06:57:58Z
system:node-bootstrapper 2022-02-15T06:57:58Z
system:node-problem-detector 2022-02-15T06:57:58Z
system:node-proxier 2022-02-15T06:57:58Z
system:persistent-volume-provisioner 2022-02-15T06:57:58Z
system:public-info-viewer 2022-02-15T06:57:58Z
system:service-account-issuer-discovery 2022-02-15T06:57:58Z
system:volume-scheduler 2022-02-15T06:57:58Z
view 2022-02-15T06:57:58Z
Create a clusterrolebinding called pradeep-cluster-binding and bind the user pradeep and clusterrole pradeep-cluster.
pradeep@learnk8s$ kubectl create clusterrolebinding pradeep-cluster-binding --clusterrole=pradeep-cluster --user=pradeep
clusterrolebinding.rbac.authorization.k8s.io/pradeep-cluster-binding created
Get all available clusterrolebindings.
pradeep@learnk8s$ kubectl get clusterrolebindings.rbac.authorization.k8s.io
NAME ROLE AGE
cluster-admin ClusterRole/cluster-admin 2d
kindnet ClusterRole/kindnet 2d
kubeadm:get-nodes ClusterRole/kubeadm:get-nodes 2d
kubeadm:kubelet-bootstrap ClusterRole/system:node-bootstrapper 2d
kubeadm:node-autoapprove-bootstrap ClusterRole/system:certificates.k8s.io:certificatesigningrequests:nodeclient 2d
kubeadm:node-autoapprove-certificate-rotation ClusterRole/system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 2d
kubeadm:node-proxier ClusterRole/system:node-proxier 2d
minikube-rbac ClusterRole/cluster-admin 2d
pradeep-cluster-binding ClusterRole/pradeep-cluster 5s
storage-provisioner ClusterRole/system:persistent-volume-provisioner 2d
system:basic-user ClusterRole/system:basic-user 2d
system:controller:attachdetach-controller ClusterRole/system:controller:attachdetach-controller 2d
system:controller:certificate-controller ClusterRole/system:controller:certificate-controller 2d
system:controller:clusterrole-aggregation-controller ClusterRole/system:controller:clusterrole-aggregation-controller 2d
system:controller:cronjob-controller ClusterRole/system:controller:cronjob-controller 2d
system:controller:daemon-set-controller ClusterRole/system:controller:daemon-set-controller 2d
system:controller:deployment-controller ClusterRole/system:controller:deployment-controller 2d
system:controller:disruption-controller ClusterRole/system:controller:disruption-controller 2d
system:controller:endpoint-controller ClusterRole/system:controller:endpoint-controller 2d
system:controller:endpointslice-controller ClusterRole/system:controller:endpointslice-controller 2d
system:controller:endpointslicemirroring-controller ClusterRole/system:controller:endpointslicemirroring-controller 2d
system:controller:ephemeral-volume-controller ClusterRole/system:controller:ephemeral-volume-controller 2d
system:controller:expand-controller ClusterRole/system:controller:expand-controller 2d
system:controller:generic-garbage-collector ClusterRole/system:controller:generic-garbage-collector 2d
system:controller:horizontal-pod-autoscaler ClusterRole/system:controller:horizontal-pod-autoscaler 2d
system:controller:job-controller ClusterRole/system:controller:job-controller 2d
system:controller:namespace-controller ClusterRole/system:controller:namespace-controller 2d
system:controller:node-controller ClusterRole/system:controller:node-controller 2d
system:controller:persistent-volume-binder ClusterRole/system:controller:persistent-volume-binder 2d
system:controller:pod-garbage-collector ClusterRole/system:controller:pod-garbage-collector 2d
system:controller:pv-protection-controller ClusterRole/system:controller:pv-protection-controller 2d
system:controller:pvc-protection-controller ClusterRole/system:controller:pvc-protection-controller 2d
system:controller:replicaset-controller ClusterRole/system:controller:replicaset-controller 2d
system:controller:replication-controller ClusterRole/system:controller:replication-controller 2d
system:controller:resourcequota-controller ClusterRole/system:controller:resourcequota-controller 2d
system:controller:root-ca-cert-publisher ClusterRole/system:controller:root-ca-cert-publisher 2d
system:controller:route-controller ClusterRole/system:controller:route-controller 2d
system:controller:service-account-controller ClusterRole/system:controller:service-account-controller 2d
system:controller:service-controller ClusterRole/system:controller:service-controller 2d
system:controller:statefulset-controller ClusterRole/system:controller:statefulset-controller 2d
system:controller:ttl-after-finished-controller ClusterRole/system:controller:ttl-after-finished-controller 2d
system:controller:ttl-controller ClusterRole/system:controller:ttl-controller 2d
system:coredns ClusterRole/system:coredns 2d
system:discovery ClusterRole/system:discovery 2d
system:kube-controller-manager ClusterRole/system:kube-controller-manager 2d
system:kube-dns ClusterRole/system:kube-dns 2d
system:kube-scheduler ClusterRole/system:kube-scheduler 2d
system:monitoring ClusterRole/system:monitoring 2d
system:node ClusterRole/system:node 2d
system:node-proxier ClusterRole/system:node-proxier 2d
system:public-info-viewer ClusterRole/system:public-info-viewer 2d
system:service-account-issuer-discovery ClusterRole/system:service-account-issuer-discovery 2d
system:volume-scheduler ClusterRole/system:volume-scheduler 2d
Again, there are many pre-defined but our newly created clusterrolebinding pradeep-cluster-binding is shown.
With that confirmation, let us verify if user pradeep can get the nodes without context-switching.
pradeep@learnk8s$ kubectl get nodes --as pradeep
NAME STATUS ROLES AGE VERSION
k8s Ready control-plane,master 2d v1.23.1
k8s-m02 Ready <none> 2d v1.23.1
Before switching context, let us describe these clusterrole and clusterrolebindings.
ClusterRole:
pradeep@learnk8s$ kubectl describe clusterrole pradeep-cluster
Name: pradeep-cluster
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
nodes [] [] [get list watch ]
ClusterRoleBinding:
pradeep@learnk8s$ kubectl describe clusterrolebindings pradeep-cluster-binding
Name: pradeep-cluster-binding
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: pradeep-cluster
Subjects:
Kind Name Namespace
---- ---- ---------
User pradeep
Switch context now.
pradeep@learnk8s$ kubectl config use-context pradeep
Switched to context "pradeep".
Finally, verify user pradeep can get the nodes.
pradeep@learnk8s$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s Ready control-plane,master 2d v1.23.1
k8s-m02 Ready <none> 2d v1.23.1
Now, we have accomplished our simple goal w.r.t authorization in Kubernetes.
