Let's say I set up a fresh Kubernetes cluster. I assume the both kube-system and default namespaces will get a service account named default? Which permissions does that service account have? Full read/write permissions?
I'm essentially asking this to understand best practises to give a custom Go controller write access to resources.
Service accounts have no inherent permissions. The permissions they have depend entirely on the authorization mode configured (--authorization-mode flag passed to the apiserver)
Defining RBAC roles is a good method for specifying the permissions required for a controller.
There are existing role definitions for in-tree controllers at https://github.com/kubernetes/kubernetes/tree/master/plugin/pkg/auth/authorizer/rbac/bootstrappolicy
Related
I'm a little confused about the default Service Account in new created Namespace in my Minikube.
Does it have any permissions? It seems not because I can't find any rolebinding or clusterrolebindung which references this SA
Then why is it created when it does not have a permission, or is there a use case around that?
and lastly, why are service accounts by default mount to pods?
Regards
ralph
The default service account doesn’t have enough permissions to retrieve the services running in the same namespace.
Kubernetes follows the convention of closed-to-open which means that by default no user or service account has any permissions.
To fulfill this request, we need to create a role binding associating the default service account with an appropriate role.This is similar to how we assign a viewer role to the service account that can give permission to list pods.
Pods have the default service account assigned even when you don’t ask for it. This is because every pod in the cluster needs to have one (and only one) service account assigned to it.
Refer Kubernetes namespace default service account for more information.
I recently built an EKS cluster w/ Terraform. In doing that, I Created 3 different roles on the cluster, all mapped to the same AWS IAM Role (the one used to create the cluster)
Now, when I try to manage the cluster, RBAC seems to use the least privileged of these (which I made a view role) that only has read-only access.
Is there anyway to tell config to use the admin role instead of view?
I'm afraid I've hosed this cluster and may need to rebuild it.
Some into
You don't need to create a mapping in K8s for an IAM entity that created an EKS cluster, because by default it will be mapped to "system:masters" K8s group automatically. So, if you want to give additional permissions in a K8s cluster, just map other IAM roles/users.
In EKS, IAM entities are used authentication and K8s RBAC are for authorization purposes. The mapping between them is set in aws-auth configMap in kube-system namespace,
Back to the question
I'm not sure, why K8s may have mapped that IAM user to the least privileged K8s user - it may be the default behaviour (bug?) or due to the mapping record (for view perms) being later in the CM, so it just re-wrote the previous mapping.
Any way, there is no possibility to specify a K8s user to use with such mapping.
Also, if you used eksctl to spin up the cluster, you may try creating a new mapping as per docs, but not sure if that will work.
Some reading reference: #1, #2
could you please support me in understanding how to configure the NetworkPolicy in order to set rule, that only predefined user's role may have access for specific pod (or service)?
I have begun with Kubernetes and read "Kebernetes in action", but didn't found any description how to do it. In general, this request is Authorisation task and only solution (i suppose) is to apply some kind of CustomResourceDefinition and create my own controller for manage the behaviour of CustomNetworkPolicy. Am I on right way, or is there any appropriate solution?
My microservices current equipped with authorisation on application level, but i need to move this task on cluster level. One of a reason is, i.e. I can orchestrate access of users without to change the source code of microservices.
I will be very thankful for some example or clarification
Using NetworkPolicy you can only manage the incoming and outgoing traffic to/from pods. For authorization, you can leverage service mesh which provides many more functionalities without changing your source code. The most famous one is istio (https://istio.io/docs/tasks/security/authorization/authz-http/), you can check more of them.
You could use RBAC to control your cluster access permissions.
This link show how you could use RBAC to restrict a namespace from a specific user.
It works perfectly if you need your pods have a limited access to other pods or resources. You could create a serviceAccount with defined permissions and link this account in your deployment, for example. See this link
References:
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
https://kubernetes.io/docs/reference/access-authn-authz/authorization/
I have an application that is going to monitor and if necessary scale other resources. At the moment I am using the cluster-admin tokens for it to access the k8s api but I want to limit its access to just monitor and scale.
I know that I need to use Role and Rolebinding for this but I have two questions:
Can I use just one user and bind it to a role in different namespaces? I need to run multiple instances of my application in different namespaces on a cluster
Is there a way to create a new k8s user via yaml file and use that to bind the role?
At the end if I am using a wrong approach please let me know because I am somehow newbie in RBAC.
You seem to have the right approach.
Have a look at the documentation: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
From experience always leave resources that are linked inside the same namespace, one user with one clusterrole and rolebinding.
Still in the case of rolebinding, they are not namespaced so you should be able to bind one user by namespace to a single clusterrole. Never tested it myself so you will have to do some testing.
There is still the question of why not just create a single app, with a serviceaccount having access to all namespaces and so one app deployed in a namespace will be able to access all the resources it needs to managed in all the cluster?
Is it possible to have multiple rolebindings on the same service account in k8s?
yes, you can have multiple role bindings for a specific service account.
say, you want to grant read only permissions to SA at cluster level, and read and write permissions at namespace level. in this case you will be creating one role binding at namespace level and another at cluster level