Creating a Role

Role is a K8s object that can be created using a definition file.

name signifies the name of the role

apiGroups refers to the Kube Rest API group. For core /api group, we can leave this to ""

Role object is bound to a namespace and control access within that namespace. The namespace can be specified in the metadata section. If not specified, it takes the default namespace.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
	name: developer
rules:
	- apiGroups: [""]
		resources: ["pods"]
		verbs: ["list", "get", "create", "update", "delete"]
	- apiGroups: [""]
		resources: ["ConfigMap"]
		verbs: ["create"]

We can also restrict access to resources based on their names.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
	name: developer
rules:
	- apiGroups: [""]
		resources: ["pods"]
		verbs: ["list", "get"]
		resourceNames: ["frontend", "backend"]

Linking a user to a Role

To link a user to a role, we need to create a RoleBinding object.

subjects refer to the users who will be bound to the role.

RoleBinding object is bound to a namespace and can be used to bind users to roles within that namespace. The namespace can be specified in the metadata section. If not specified, it takes the default namespace.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
	name: dev-user-developer-role-binding
subjects:
	- kind: User
		name: dev-user
		apiGroup: rbac.authorization.k8s.io
roleRef:
	kind: Role
	name: developer
	apiGroup: rbac.authorization.k8s.io

Commands

• List roles - k get roles
• List role bindings - k get rolebindings
• Check if you have access to perform an operation in K8s:
  • Create deployments - k auth can-i create deployment
  • Delete nodes in dev namespace - k auth can-i delete nodes -n dev
• Check if another user has access to perform an operation in K8s:
  • Create deployments - k auth can-i create deployment --as dev-user
  • Delete nodes in dev namespace - k auth can-i delete node -n dev --as dev-user