How do I create groups in kubernetes?
What are the default groups created in kubernetes?
In my kubernetes installation, this is the subject section of a ClusterRoleBinding:
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: default
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:default
- kind: ServiceAccount
name: default
namespace: kube-system
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:nodes
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: federation-system
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:federation-system
How can I see the components of the groups "default" for example. kubectl get xxx?
How can I create my own groups?
Any pointer to documentation specific to groups, not about RBAC or Authorization (I always fall in that k8s documentation and it does not explain groups) will be appreciated.
Thank you.
you dont create groups in Kubernetes, but the groups are defined in the Identity Provider.
For example I use Keystone from Openstack as the Identity provider. I use a Bearer Token to login, and Kubernetes validates the token connecting to Keystone, that answers with my username and my project UUID in Openstack. The project UUID is then the group in Kubernetes.
I can write the following:
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: Group
name: <openstack_project_uuid>
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
or if I want to use the User
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: <openstack_user_name>
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
Probably someone make post a similar answer with a LDAP example. I always used only Openstack Keystone. But I hope I answered your question.
Related
I can create a rolebinding like this
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test
namespace: rolebinding-ns
subjects:
- kind: ServiceAccount
name: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
The subject defines a ServiceAccount without the namespace, and we have a "default" serviceaccount in this rolebinding-ns namespace but we have some other "default" serviceaccounts in other namespaces, included the system namespaces, are different serviceaccounts but with the same name
The question is. Which serviceaccount is used in this rolebinding? The one that is in the same namespace as the rolebinding or kube-system one or any other?
I just applied the yml of the rolebinding without error but I do not know which serviceaccount is being used.
There's no namespace specified for the service account in your question:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test
namespace: rolebinding-ns
subjects:
- kind: ServiceAccount
name: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
Which serviceaccount is used in this rolebinding? The one that is in the same namespace as the rolebinding or kube-system one or any other?
RoleBinding is a namespaced object, therefore in this case the one that is in the same namespace as the rolebinding and no other.
I am trying to create a public namespace public-ns which should be accessible for all the users and groups. I have defined RoleBinding as following which allows 2 group and 2 users to access the namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-everyone
namespace: public-ns
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pods-services
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: user-one
- apiGroup: rbac.authorization.k8s.io
kind: User
name: user-two
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: group-one
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: group-two
Now, I want to allow the access to this namespace for all the groups. I have tried giving '*' and any as following it did not work.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-everyone
namespace: public-ns
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pods-services
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: any ## tried '*' as well
Can anyone please suggest me how can I give permissions for everyone for this specific namespace. If this is not possible any alternatives suggested would be great.
Note: OIDC enabled on K8s with Keycloak.
Thanks in advance.
I think you should use special group system:authenticated
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authentication-strategies
Here is a ClusterRoleBinding syntax that I found for creating Cluster role binding. Why does apiGroup needed to be specified when referring to role in roleRef? I have seen similar example in the Kubernetes docs. What is the possible explanation?
Example 1
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-secrets-global
subjects:
- kind: Group
name: manager # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
Example 2
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
All Kubernetes resources have group, version, name, so an apiGroup field is required to identify a group.
For example, if you create your Custom Resource Definition(CRD), you need setting these fields.
below is the sample controller example:
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: foos.samplecontroller.k8s.io
spec:
group: samplecontroller.k8s.io
version: v1alpha1
names:
kind: Foo
plural: foos
scope: Namespaced
(ServiceAccount resource is the core group. so I think ServiceAccount could be omitted a group field.)
i'm getting this error i also created rbac.yaml. But it require admin permission. is it possible to apply rbac.yaml without admin role ??
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: hazelcast-rbac
subjects:
name: default-cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: ServiceAccount
name: default
namespace: default
By default, only cluster admin can create ClusterRoleBinding. If you are project admin, please create RoleBinding instead.
To check if you can create rolebinding:
oc adm policy who-can create rolebinding
When I try to
kubectl create -f cloudflare-argo-rolebinding.yml
this RoleBinding
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cloudflare-argo-rolebinding
namespace: default
subjects:
- kind: ServiceAccount
name: cloudflare-argo
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: cloudflare-argo-role
apiGroup: rbac.authorization.k8s.io
I get this error :
The RoleBinding "cloudflare-argo-rolebinding" is invalid: subjects[0].apiGroup: Unsupported value: "rbac.authorization.k8s.io": supported values: ""
Any idea ? I'm on DigitalOcean using their new Kubernetes service if it helps.
I think problem is using wrong apiGroup.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cloudflare-argo-rolebinding
namespace: default
subjects:
- kind: ServiceAccount
name: cloudflare-argo
# apiGroup is ""(core/v1) for service_account
apiGroup: ""
roleRef:
kind: Role
name: cloudflare-argo-role
apiGroup: rbac.authorization.k8s.io
ServiceAccount subjects are in the v1 API, which is apiGroup ""