SecurityContext
A SecurityContext defines privilege and access control settings for Pods or
containers and can include the following:
- UID- and GID-based Discretionary Access Control
- SELinux security labels
- Linux Capabilities
- AppArmor
- Seccomp
- The AllowPrivilegeEscalation setting
- The runAsNonRoot setting
Setting SecurityContext
kubectl apply -f security-context.yamlkubectl get pod security-context-demokubectl exec -it security-context-demo -- shps# will show processes running UID 1000cd /data; ls -l# will show fsGroup as owning GIDidexit
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
root@k8s cka]# kubectl explain pod.spec.securityContext root@k8s cka]# kubectl explain pod.spec.containers.securityContext root@k8s cka]# cat security-context.yaml apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 2000 volumes: - name: securevol emptyDir: {} containers: - name: sec-demo image: busybox command: ["sh", "-c", "sleep 3600"] volumeMounts: - name: securevol mountPath: /data/demo securityContext: allowPrivilegeEscalation: false root@k8s cka]# kubectl apply -f security-context.yaml pod/security-context-demo created root@k8s cka]# kubectl get pods security-context-demo NAME READY STATUS RESTARTS AGE security-context-demo 1/1 Running 0 6m6s root@k8s cka]# kubectl exec -it security-context-demo -- sh ~ $ ~ $ ps PID USER TIME COMMAND 1 1000 0:00 sh -c sleep 3600 7 1000 0:00 sh 13 1000 0:00 ps ~ $ cd /data /data $ ls demo /data $ ls -l total 0 drwxrwsrwx 2 root 2000 6 Feb 8 17:24 demo /data $ id uid=1000 gid=1000 groups=1000,2000 /data $ cd demo /data/demo $ touch file /data/demo $ ls -l total 0 -rw-r--r-- 1 1000 2000 0 Feb 8 17:31 file /data/demo $ exit |
Kubernetes Users
- The Kubernetes API doesn’t define users for people to authenticate and
authorize - Users are obtained externally
- Defined by X.509 certificates
- Obtained from external OpenID-based authentication (Google, AD and many more)
- ServiceAccounts are used to authorize Pods to get access to specific API resources
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |
[root@k8s cka]# kubectl get sa NAME SECRETS AGE default 0 8d [root@k8s cka]# kubectl get sa default -o yaml apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: "2024-01-31T15:03:38Z" name: default namespace: default resourceVersion: "303" uid: bd177ac9-8df9-4cdb-99e2-ac8acd4727f6 [root@k8s cka]# [root@k8s cka]# kubectl get sa -A NAMESPACE NAME SECRETS AGE default default 0 8d ingress-nginx default 0 6d18h ingress-nginx ingress-nginx 0 6d18h kube-node-lease default 0 8d kube-public default 0 8d kube-system attachdetach-controller 0 8d kube-system bootstrap-signer 0 8d kube-system certificate-controller 0 8d kube-system clusterrole-aggregation-controller 0 8d kube-system coredns 0 8d kube-system cronjob-controller 0 8d kube-system daemon-set-controller 0 8d kube-system default 0 8d kube-system deployment-controller 0 8d kube-system disruption-controller 0 8d kube-system endpoint-controller 0 8d kube-system endpointslice-controller 0 8d kube-system endpointslicemirroring-controller 0 8d kube-system ephemeral-volume-controller 0 8d kube-system expand-controller 0 8d kube-system generic-garbage-collector 0 8d kube-system horizontal-pod-autoscaler 0 8d kube-system job-controller 0 8d kube-system kube-proxy 0 8d kube-system metrics-server 0 4d21h kube-system namespace-controller 0 8d kube-system node-controller 0 8d kube-system persistent-volume-binder 0 8d kube-system pod-garbage-collector 0 8d kube-system pv-protection-controller 0 8d kube-system pvc-protection-controller 0 8d kube-system replicaset-controller 0 8d kube-system replication-controller 0 8d kube-system resourcequota-controller 0 8d kube-system root-ca-cert-publisher 0 8d kube-system service-account-controller 0 8d kube-system service-controller 0 8d kube-system statefulset-controller 0 8d kube-system storage-provisioner 0 8d kube-system token-cleaner 0 8d kube-system ttl-after-finished-controller 0 8d kube-system ttl-controller 0 8d kubernetes-dashboard default 0 7d17h kubernetes-dashboard kubernetes-dashboard 0 7d17h limited default 0 3d nwp-namespace default 0 2d3h remote default 0 2d15h restricted default 0 46h |
Configuring Roles
- Roles are used on Namespaces and use Verbs to specify access to specific
resources in that Namespace - Use
kubectl create roleto create roles
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
[root@k8s cka]# kubectl create role -h [root@k8s cka]# kubectl get roles -A NAMESPACE NAME CREATED AT ingress-nginx ingress-nginx 2024-02-02T20:09:01Z kube-public kubeadm:bootstrap-signer-clusterinfo 2024-01-31T15:03:26Z kube-public system:controller:bootstrap-signer 2024-01-31T15:03:25Z kube-system extension-apiserver-authentication-reader 2024-01-31T15:03:25Z kube-system kube-proxy 2024-01-31T15:03:27Z kube-system kubeadm:kubelet-config 2024-01-31T15:03:25Z kube-system kubeadm:nodes-kubeadm-config 2024-01-31T15:03:25Z kube-system system::leader-locking-kube-controller-manager 2024-01-31T15:03:25Z kube-system system::leader-locking-kube-scheduler 2024-01-31T15:03:25Z kube-system system:controller:bootstrap-signer 2024-01-31T15:03:25Z kube-system system:controller:cloud-provider 2024-01-31T15:03:25Z kube-system system:controller:token-cleaner 2024-01-31T15:03:25Z kube-system system:persistent-volume-provisioner 2024-01-31T15:03:28Z kubernetes-dashboard kubernetes-dashboard 2024-02-01T20:36:25Z |
Creating RoleBindings
- RoleBindings connect users or ServiceAccounts to Roles
- Use
kubectl create rolebindingto create it
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 |
[root@k8s cka]# kubectl get rolebinding No resources found in default namespace. [root@k8s cka]# kubectl get rolebinding -A NAMESPACE NAME ROLE AGE ingress-nginx ingress-nginx Role/ingress-nginx 9d kube-public kubeadm:bootstrap-signer-clusterinfo Role/kubeadm:bootstrap-signer-clusterinfo 12d kube-public system:controller:bootstrap-signer Role/system:controller:bootstrap-signer 12d kube-system kube-proxy Role/kube-proxy 12d kube-system kubeadm:kubelet-config Role/kubeadm:kubelet-config 12d kube-system kubeadm:nodes-kubeadm-config Role/kubeadm:nodes-kubeadm-config 12d kube-system metrics-server-auth-reader Role/extension-apiserver-authentication-reader 8d kube-system system::extension-apiserver-authentication-reader Role/extension-apiserver-authentication-reader 12d kube-system system::leader-locking-kube-controller-manager Role/system::leader-locking-kube-controller-manager 12d kube-system system::leader-locking-kube-scheduler Role/system::leader-locking-kube-scheduler 12d kube-system system:controller:bootstrap-signer Role/system:controller:bootstrap-signer 12d kube-system system:controller:cloud-provider Role/system:controller:cloud-provider 12d kube-system system:controller:token-cleaner Role/system:controller:token-cleaner 12d kube-system system:persistent-volume-provisioner Role/system:persistent-volume-provisioner 12d kubernetes-dashboard kubernetes-dashboard Role/kubernetes-dashboard 10d [root@k8s cka]# kubectl get rolebindings.rbac.authorization.k8s.io -n ingress-nginx ingress-nginx -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: meta.helm.sh/release-name: ingress-nginx meta.helm.sh/release-namespace: ingress-nginx creationTimestamp: "2024-02-02T20:09:01Z" labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.9.6 helm.sh/chart: ingress-nginx-4.9.1 name: ingress-nginx namespace: ingress-nginx resourceVersion: "98215" uid: 8d8de8c1-91ff-41e0-893d-990220b4beac roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: ingress-nginx subjects: - kind: ServiceAccount name: ingress-nginx namespace: ingress-nginx [root@k8s cka]# kubectl create rolebinding -h |
Creating ServiceAccounts
- A ServiceAccount is used to authorize Pods to get information from the API
- All Pods have a default ServiceAccount which provides minimal access
- If more access is needed, specific ServiceAccounts can be created
- ServiceAccounts don’t have specific configuration, they are used in RoleBindings to get access to specific Roles
Configuring ServiceAccounts
1. Create a Pod, using the standard ServiceAccount: kubectl apply -f
mypod.yaml
2. Use kubectl get pods mypod -o yaml to check current SA configuration
3. Access the Pod using kubectl exec -it mypod -- sh, try to list Pods using curl on the API:
1. apk add --update curl
2. curl https://kubernetes/api/v1 --insecure # will be forbidden
4. Use the Default ServiceAccount token and try again:
1. TOKEN=$(cat /run/secrets/kubernetes.io/serviceaccount/token)
2. curl -H "Authorization: Bearer $TOKEN" https://kubernetes/api/v1/ --insecure
5. Try the same, but this time to list Pods – it will fail:
1. curl -H "Authorization: Bearer $TOKEN"https://kubernetes/api/v1/namespaces/default/pods/ --insecure
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 |
[root@k8s cka]# cat mypod.yaml apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: alpine image: alpine:3.9 command: - "sleep" - "3600" [root@k8s cka]# kubectl apply -f mypod.yaml pod/mypod created [root@k8s cka]# kubectl get pods mypod -o yaml apiVersion: v1 kind: Pod metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"name":"mypod","namespace":"default"},"spec":{"containers":[{"command":["sleep","3600"],"image":"alpine:3.9","name":"alpine"}]}} creationTimestamp: "2024-02-12T17:04:50Z" name: mypod namespace: default resourceVersion: "918974" uid: a0c27f53-40fb-471f-9e19-535142daee9c spec: containers: - command: - sleep - "3600" image: alpine:3.9 imagePullPolicy: IfNotPresent name: alpine resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-g57bc readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true nodeName: k8s.netico.pl preemptionPolicy: PreemptLowerPriority priority: 0 restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: default serviceAccountName: default terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 volumes: - name: kube-api-access-g57bc projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2024-02-12T17:04:50Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2024-02-12T17:04:55Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2024-02-12T17:04:55Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2024-02-12T17:04:50Z" status: "True" type: PodScheduled containerStatuses: - containerID: docker://1f205198c18df3a38ebdc53a210a0829baf7b84df586ded25e3c0212700dd219 image: alpine:3.9 imageID: docker-pullable://alpine@sha256:414e0518bb9228d35e4cd5165567fb91d26c6a214e9c95899e1e056fcd349011 lastState: {} name: alpine ready: true restartCount: 0 started: true state: running: startedAt: "2024-02-12T17:04:54Z" hostIP: 172.30.9.24 phase: Running podIP: 10.244.0.88 podIPs: - ip: 10.244.0.88 qosClass: BestEffort startTime: "2024-02-12T17:04:50Z" [root@k8s cka]# kubectl exec -it mypod -- sh / # apk add --update curl fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.9/main: temporary error (try again later) WARNING: Ignoring APKINDEX.b89edf6e.tar.gz: No such file or directory fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.9/community: temporary error (try again later) WARNING: Ignoring APKINDEX.737f7e01.tar.gz: No such file or directory ERROR: unsatisfiable constraints: curl (missing): required by: world[curl] / # curl https://kubernetes/api/v1 --insecure sh: curl: not found / # TOKEN=$(cat /run/secrets/kubernetes.io/serviceaccount/token) / # curl -H "Authorization: Bearer $TOKEN" https://kubernetes/api/v1/ --insecure / # curl -H "Authorization: Bearer $TOKEN"https://kubernetes/api/v1/namespaces/default/pods/ --insecure sh: curl: not found / # exit command terminated with exit code 127 |
Configuring ServiceAccounts
1. Create a ServiceAccount: kubectl apply -f mysa.yaml
2. Define a role that allows to list all Pods in the default NameSpace: kubectl apply -f list-pods.yaml
3. Define a RoleBinding that binds the mysa to the Role just created: kubectl apply -f list-pods-mysa-binding.yaml
4. Create a Pod that uses the mysa SA to access this Role: kubectl apply -f mysapod.yaml
5. Access the Pod, use the mysa ServiceAccount token and try again:
1. apk add --update curl
2. TOKEN=$(cat /run/secrets/kubernetes.io/serviceaccount/token)
3. curl -H "Authorization: Bearer $TOKEN" https://kubernetes/api/v1/ --insecure
6. Try the same, but this time to list Pods:
1. curl -H "Authorization: Bearer $TOKEN"https://kubernetes/api/v1/namespaces/default/pods/ --insecure
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
[root@k8s cka]# cat mysa.yaml apiVersion: v1 kind: ServiceAccount metadata: name: mysa [root@k8s cka]# kubectl apply -f mysa.yaml serviceaccount/mysa created [root@k8s cka]# cat list-pods.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: list-pods namespace: default rules: - apiGroups: - '' resources: - pods verbs: - list |
We see above very simple mysa ServiceAccount definition and very simple role list-pods. This role is providing access to list pods.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
[root@k8s cka]# kubectl apply -f list-pods.yaml role.rbac.authorization.k8s.io/list-pods created [root@k8s cka]# cat list-pods-mysa-binding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: list-pods-mysa-binding namespace: default roleRef: kind: Role name: list-pods apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: mysa namespace: default |
The namespace of role binding is default. The subject is SA mysa and namespace default.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
[root@k8s cka]# kubectl apply -f list-pods-mysa-binding.yaml rolebinding.rbac.authorization.k8s.io/list-pods-mysa-binding created [root@k8s cka]# cat mysapod.yaml apiVersion: v1 kind: Pod metadata: name: mysapod spec: serviceAccountName: mysa containers: - name: alpine image: alpine:3.9 command: - "sleep" - "3600" [root@k8s cka]# kubectl apply -f mysapod.yaml pod/mysapod created [root@k8s cka]# kubectl exec -it mysapod -- sh / # apk add --update curl fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.9/main: temporary error (try again later) WARNING: Ignoring APKINDEX.b89edf6e.tar.gz: No such file or directory fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.9/community: temporary error (try again later) WARNING: Ignoring APKINDEX.737f7e01.tar.gz: No such file or directory ERROR: unsatisfiable constraints: curl (missing): required by: world[curl] / # TOKEN=$(cat /run/secrets/kubernetes.io/serviceaccount/token) / # curl-H "Authorization: Bearer $TOKEN" https://kubernetes/api/v1/ --insecure sh: curl-H: not found / # curl -H "Authorization: Bearer $TOKEN" https://kubernetes/api/v1/ --insecure sh: curl: not found / # curl -H "Authorization: Bearer $TOKEN" sh: curl: not found / # https://kubernetes/api/v1/namespaces/default/pods/ --insecure sh: https://kubernetes/api/v1/namespaces/default/pods/: not found / # curl -H "Authorization: Bearer $TOKEN"https://kubernetes/api/v1/namespaces/default/pods/ --insecure sh: curl: not found |
ClusterRoles
- Roles have a Namespace scope, ClusterRoles apply to the entire cluster
- The working is similar to the working of Roles
- To provide access to ClusterRoles, use users or ServiceAccounts and provide access through a ClusterRoleBinding
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 |
[root@k8s cka]# kubectl get clusterrole NAME CREATED AT admin 2024-01-31T15:03:24Z cluster-admin 2024-01-31T15:03:24Z edit 2024-01-31T15:03:24Z ingress-nginx 2024-02-02T20:09:01Z kubeadm:get-nodes 2024-01-31T15:03:26Z kubernetes-dashboard 2024-02-01T20:36:25Z system:aggregate-to-admin 2024-01-31T15:03:24Z system:aggregate-to-edit 2024-01-31T15:03:24Z system:aggregate-to-view 2024-01-31T15:03:24Z system:aggregated-metrics-reader 2024-02-04T16:24:05Z system:auth-delegator 2024-01-31T15:03:24Z system:basic-user 2024-01-31T15:03:24Z system:certificates.k8s.io:certificatesigningrequests:nodeclient 2024-01-31T15:03:24Z system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 2024-01-31T15:03:24Z system:certificates.k8s.io:kube-apiserver-client-approver 2024-01-31T15:03:24Z system:certificates.k8s.io:kube-apiserver-client-kubelet-approver 2024-01-31T15:03:24Z system:certificates.k8s.io:kubelet-serving-approver 2024-01-31T15:03:24Z system:certificates.k8s.io:legacy-unknown-approver 2024-01-31T15:03:24Z system:controller:attachdetach-controller 2024-01-31T15:03:24Z system:controller:certificate-controller 2024-01-31T15:03:24Z system:controller:clusterrole-aggregation-controller 2024-01-31T15:03:24Z system:controller:cronjob-controller 2024-01-31T15:03:24Z system:controller:daemon-set-controller 2024-01-31T15:03:24Z system:controller:deployment-controller 2024-01-31T15:03:24Z system:controller:disruption-controller 2024-01-31T15:03:24Z system:controller:endpoint-controller 2024-01-31T15:03:24Z system:controller:endpointslice-controller 2024-01-31T15:03:24Z system:controller:endpointslicemirroring-controller 2024-01-31T15:03:24Z system:controller:ephemeral-volume-controller 2024-01-31T15:03:24Z system:controller:expand-controller 2024-01-31T15:03:24Z system:controller:generic-garbage-collector 2024-01-31T15:03:24Z system:controller:horizontal-pod-autoscaler 2024-01-31T15:03:24Z system:controller:job-controller 2024-01-31T15:03:24Z system:controller:namespace-controller 2024-01-31T15:03:24Z system:controller:node-controller 2024-01-31T15:03:24Z system:controller:persistent-volume-binder 2024-01-31T15:03:24Z system:controller:pod-garbage-collector 2024-01-31T15:03:24Z system:controller:pv-protection-controller 2024-01-31T15:03:24Z system:controller:pvc-protection-controller 2024-01-31T15:03:24Z system:controller:replicaset-controller 2024-01-31T15:03:24Z system:controller:replication-controller 2024-01-31T15:03:24Z system:controller:resourcequota-controller 2024-01-31T15:03:24Z system:controller:root-ca-cert-publisher 2024-01-31T15:03:24Z system:controller:route-controller 2024-01-31T15:03:24Z system:controller:service-account-controller 2024-01-31T15:03:24Z system:controller:service-controller 2024-01-31T15:03:24Z system:controller:statefulset-controller 2024-01-31T15:03:24Z system:controller:ttl-after-finished-controller 2024-01-31T15:03:24Z system:controller:ttl-controller 2024-01-31T15:03:24Z system:coredns 2024-01-31T15:03:27Z system:discovery 2024-01-31T15:03:24Z system:heapster 2024-01-31T15:03:24Z system:kube-aggregator 2024-01-31T15:03:24Z system:kube-controller-manager 2024-01-31T15:03:24Z system:kube-dns 2024-01-31T15:03:24Z system:kube-scheduler 2024-01-31T15:03:24Z system:kubelet-api-admin 2024-01-31T15:03:24Z system:metrics-server 2024-02-04T16:24:05Z system:monitoring 2024-01-31T15:03:24Z system:node 2024-01-31T15:03:24Z system:node-bootstrapper 2024-01-31T15:03:24Z system:node-problem-detector 2024-01-31T15:03:24Z system:node-proxier 2024-01-31T15:03:24Z system:persistent-volume-provisioner 2024-01-31T15:03:24Z system:public-info-viewer 2024-01-31T15:03:24Z system:service-account-issuer-discovery 2024-01-31T15:03:24Z system:volume-scheduler 2024-01-31T15:03:24Z view 2024-01-31T15:03:24Z [root@k8s cka]# kubectl get clusterrole edit -o yaml | more aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-edit: "true" apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: "2024-01-31T15:03:24Z" labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-admin: "true" name: edit resourceVersion: "252703" uid: ecbd635d-93c8-409a-b3bb-ed6f3fa91cba rules: - apiGroups: - "" resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" [root@k8s cka]# kubectl get clusterrolebindings NAME ROLE AGE cluster-admin ClusterRole/cluster-admin 12d ingress-nginx ClusterRole/ingress-nginx 10d kubeadm:get-nodes ClusterRole/kubeadm:get-nodes 12d kubeadm:kubelet-bootstrap ClusterRole/system:node-bootstrapper 12d kubeadm:node-autoapprove-bootstrap ClusterRole/system:certificates.k8s.io:certificatesigningrequests:nodeclien t 12d kubeadm:node-autoapprove-certificate-rotation ClusterRole/system:certificates.k8s.io:certificatesigningrequests:selfnodec lient 12d kubeadm:node-proxier ClusterRole/system:node-proxier 12d kubernetes-dashboard ClusterRole/cluster-admin 11d metrics-server:system:auth-delegator ClusterRole/system:auth-delegator 8d minikube-rbac ClusterRole/cluster-admin 12d storage-provisioner ClusterRole/system:persistent-volume-provisioner 12d system:basic-user ClusterRole/system:basic-user 12d system:controller:attachdetach-controller ClusterRole/system:controller:attachdetach-controller 12d system:controller:certificate-controller ClusterRole/system:controller:certificate-controller 12d system:controller:clusterrole-aggregation-controller ClusterRole/system:controller:clusterrole-aggregation-controller 12d system:controller:cronjob-controller ClusterRole/system:controller:cronjob-controller 12d system:controller:daemon-set-controller ClusterRole/system:controller:daemon-set-controller 12d system:controller:deployment-controller ClusterRole/system:controller:deployment-controller 12d system:controller:disruption-controller ClusterRole/system:controller:disruption-controller 12d system:controller:endpoint-controller ClusterRole/system:controller:endpoint-controller 12d system:controller:endpointslice-controller ClusterRole/system:controller:endpointslice-controller 12d system:controller:endpointslicemirroring-controller ClusterRole/system:controller:endpointslicemirroring-controller 12d system:controller:ephemeral-volume-controller ClusterRole/system:controller:ephemeral-volume-controller 12d system:controller:expand-controller ClusterRole/system:controller:expand-controller 12d system:controller:generic-garbage-collector ClusterRole/system:controller:generic-garbage-collector 12d system:controller:horizontal-pod-autoscaler ClusterRole/system:controller:horizontal-pod-autoscaler 12d system:controller:job-controller ClusterRole/system:controller:job-controller 12d system:controller:namespace-controller ClusterRole/system:controller:namespace-controller 12d system:controller:node-controller ClusterRole/system:controller:node-controller 12d system:controller:persistent-volume-binder ClusterRole/system:controller:persistent-volume-binder 12d system:controller:pod-garbage-collector ClusterRole/system:controller:pod-garbage-collector 12d system:controller:pv-protection-controller ClusterRole/system:controller:pv-protection-controller 12d system:controller:pvc-protection-controller ClusterRole/system:controller:pvc-protection-controller 12d system:controller:replicaset-controller ClusterRole/system:controller:replicaset-controller 12d system:controller:replication-controller ClusterRole/system:controller:replication-controller 12d system:controller:resourcequota-controller ClusterRole/system:controller:resourcequota-controller 12d system:controller:root-ca-cert-publisher ClusterRole/system:controller:root-ca-cert-publisher 12d system:controller:route-controller ClusterRole/system:controller:route-controller 12d system:controller:service-account-controller ClusterRole/system:controller:service-account-controller 12d system:controller:service-controller ClusterRole/system:controller:service-controller 12d system:controller:statefulset-controller ClusterRole/system:controller:statefulset-controller 12d system:controller:ttl-after-finished-controller ClusterRole/system:controller:ttl-after-finished-controller 12d system:controller:ttl-controller ClusterRole/system:controller:ttl-controller 12d system:coredns ClusterRole/system:coredns 12d system:discovery ClusterRole/system:discovery 12d system:kube-controller-manager ClusterRole/system:kube-controller-manager 12d system:kube-dns ClusterRole/system:kube-dns 12d system:kube-scheduler ClusterRole/system:kube-scheduler 12d system:metrics-server ClusterRole/system:metrics-server 8d system:monitoring ClusterRole/system:monitoring 12d system:node ClusterRole/system:node 12d system:node-proxier ClusterRole/system:node-proxier 12d system:public-info-viewer ClusterRole/system:public-info-viewer 12d system:service-account-issuer-discovery ClusterRole/system:service-account-issuer-discovery 12d system:volume-scheduler ClusterRole/system:volume-scheduler 12d |
User Accounts
- Kubernetes has no User objects
- User accounts consist of an authorized certificate that is completed with some authorization as defined in RBAC
- To create a user account, the following steps need to be performed
- Create a public/private key pair
- Create a Certificate Signing Request
- Sign the Certificate
- Create a configuration file that uses these keys to access the K8s clust
- Create an RBAC Role
- Create an RBAC RoleBinding
Creating User Accounts
Step 1: Create a user working environment
-
kubectl create ns studentskubectl create ns staffkubectl config get-contexts
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
[root@k8s cka]# kubectl create ns students namespace/students created [root@k8s cka]# kubectl create ns staff namespace/staff created [root@k8s cka]# kubectl config get-contexts CURRENT NAME CLUSTER AUTHINFO NAMESPACE * minikube minikube minikube default [root@k8s cka]# cat ~/.kube/config apiVersion: v1 clusters: - cluster: certificate-authority: /root/.minikube/ca.crt extensions: - extension: last-update: Thu, 01 Feb 2024 15:18:33 EST provider: minikube.sigs.k8s.io version: v1.32.0 name: cluster_info server: https://172.30.9.24:8443 name: minikube contexts: - context: cluster: minikube extensions: - extension: last-update: Thu, 01 Feb 2024 15:18:33 EST provider: minikube.sigs.k8s.io version: v1.32.0 name: context_info namespace: default user: minikube name: minikube current-context: minikube kind: Config preferences: {} users: - name: minikube user: client-certificate: /root/.minikube/profiles/minikube/client.crt client-key: /root/.minikube/profiles/minikube/client.key |
Step 2: Create the User account
sudo useradd -m -G sudo -s /bin/bash annasudo passwd annasu - annaopenssl genrsa -out anna.key 2048# Generating private keyopenssl req -new -key anna.key -out anna.csr -subj "/CN=anna/O=k8s"# certificate signing requestsudo openssl x509 -req -in anna.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out anna.crt -days 1800# kubernetes CA need to sign the signing request
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
[root@k8s cka]# useradd -m -G wheel -s /bin/bash anna [root@k8s cka]# passwd anna [root@k8s cka]# su - anna [anna@k8s ~]$ openssl genrsa -out anna.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ......................+++++ ...........+++++ e is 65537 (0x010001) [anna@k8s ~]$ openssl req -new -key anna.key -out anna.csr -subj "/CN=anna/O=k8s" [anna@k8s ~]$ sudo openssl x509 -req -in anna.csr -CA /root/.minikube/ca.crt -CAkey /root/.minikube/ca.key -CAcreateserial -out anna.crt -days 1800 Signature ok subject=CN = anna, O = k8s Getting CA Private Key [anna@k8s ~]$ ll razem 12 -rw-r--r-- 1 root root 1005 02-13 02:48 anna.crt -rw-rw-r-- 1 anna anna 903 02-13 02:41 anna.csr -rw------- 1 anna anna 1675 02-13 02:37 anna.key |
Step 3: Update the Kubernetes Credentials Files for the new user
-
mkdir /home/anna/.kubesudo cp -i /etc/kubernetes/admin.conf /home/anna/.kube/configsudo chown -R anna:anna /home/anna/.kubekubectl config set-credentials anna --client-certificate=/home/anna/anna.crt --client-key=/home/anna/anna.key
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
[anna@k8s ~]$ mkdir /home/anna/.kube [anna@k8s ~]$ sudo cp -i /root/.kube/config /home/anna/.kube/config [anna@k8s ~]$ cat /home/anna/.kube/config cat: /home/anna/.kube/config: Brak dostępu [anna@k8s ~]$ sudo chown -R anna:anna /home/anna/.kube [anna@k8s ~]$ cat /home/anna/.kube/config apiVersion: v1 clusters: - cluster: certificate-authority: /root/.minikube/ca.crt extensions: - extension: last-update: Thu, 01 Feb 2024 15:18:33 EST provider: minikube.sigs.k8s.io version: v1.32.0 name: cluster_info server: https://172.30.9.24:8443 name: minikube contexts: - context: cluster: minikube extensions: - extension: last-update: Thu, 01 Feb 2024 15:18:33 EST provider: minikube.sigs.k8s.io version: v1.32.0 name: context_info namespace: default user: minikube name: minikube current-context: minikube kind: Config preferences: {} users: - name: minikube user: client-certificate: /root/.minikube/profiles/minikube/client.crt client-key: /root/.minikube/profiles/minikube/client.key [anna@k8s ~]$ kubectl config set-credentials anna --client-certificate=/home/anna/anna.crt --client-key=/home/anna/anna.key User "anna" set. |
Step 4: Create a Default Context for the new user
-
kubectl config set-context anna-context --cluster=kubernetes \
--namespace=staff --user=annakubectl config use-context anna-context# will set context permanentlykubectl get pods# will fail as no RBAC has been configured yetkubectl config get-contexts
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
[anna@k8s ~]$ kubectl config set-context anna-context --cluster=kubernetes \ > --namespace=staff --user=anna Context "anna-context" created. [anna@k8s ~]$ kubectl config use-context anna-context Switched to context "anna-context". [anna@k8s ~]$ kubectl get pods E0213 09:10:46.316963 3073343 memcache.go:265] couldn't get current server API group list: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused E0213 09:10:46.317618 3073343 memcache.go:265] couldn't get current server API group list: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused E0213 09:10:46.320139 3073343 memcache.go:265] couldn't get current server API group list: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused E0213 09:10:46.320876 3073343 memcache.go:265] couldn't get current server API group list: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused E0213 09:10:46.322639 3073343 memcache.go:265] couldn't get current server API group list: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused The connection to the server localhost:8080 was refused - did you specify the right host or port? [anna@k8s ~]$ kubectl config get-contexts CURRENT NAME CLUSTER AUTHINFO NAMESPACE * anna-context kubernetes anna staff minikube minikube minikube default |
Step 5: Configure RBAC to define a staff role
-
su - studentvim staff-role.yamlkubectl apply -f staff-role.yaml
Step 6: Bind a user to the new role
-
vim rolebind.yamlkubectl apply -f rolebind.yaml
Step 7: Test it
-
su - anna; kubectl config viewkubectl create deployment nginx --image=nginxkubectl get pods
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 |
[anna@k8s ~]$ su - Hasło: [root@k8s ~]# cd cka [root@k8s cka]# cat staff-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: staff name: staff rules: - apiGroups: ["", "extensions", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["list", "get", "watch", "create", "update", "patch", "delete"] [root@k8s cka]# kubectl apply -f staff-role.yaml role.rbac.authorization.k8s.io/staff created [root@k8s cka]# cat rolebind.yaml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: staff-role-binding namespace: staff subjects: - kind: User name: anna apiGroup: "" roleRef: kind: Role name: staff apiGroup: "" [root@k8s cka]# kubectl apply -f rolebind.yaml rolebinding.rbac.authorization.k8s.io/staff-role-binding created [root@k8s cka]# su - anna [anna@k8s ~]$ kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority: /root/.minikube/ca.crt extensions: - extension: last-update: Thu, 01 Feb 2024 15:18:33 EST provider: minikube.sigs.k8s.io version: v1.32.0 name: cluster_info server: https://172.30.9.24:8443 name: minikube contexts: - context: cluster: kubernetes namespace: staff user: anna name: anna-context - context: cluster: minikube extensions: - extension: last-update: Thu, 01 Feb 2024 15:18:33 EST provider: minikube.sigs.k8s.io version: v1.32.0 name: context_info namespace: default user: minikube name: minikube current-context: anna-context kind: Config preferences: {} users: - name: anna user: client-certificate: /home/anna/anna.crt client-key: /home/anna/anna.key - name: minikube user: client-certificate: /root/.minikube/profiles/minikube/client.crt client-key: /root/.minikube/profiles/minikube/client.key [anna@k8s ~]$ kubectl create deployment anna-nginx --image=nginx error: failed to create deployment: Post "http://localhost:8080/apis/apps/v1/namespaces/staff/deployments?fieldManager=kubectl-create&fieldValidation=Strict": dial tcp [::1]:8080: connect: connection refused [anna@k8s ~]$ kubectl get pods E0213 09:19:59.430111 3075089 memcache.go:265] couldn't get current server API group list: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused E0213 09:19:59.430951 3075089 memcache.go:265] couldn't get current server API group list: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused E0213 09:19:59.432926 3075089 memcache.go:265] couldn't get current server API group list: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused E0213 09:19:59.433568 3075089 memcache.go:265] couldn't get current server API group list: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused E0213 09:19:59.435507 3075089 memcache.go:265] couldn't get current server API group list: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused The connection to the server localhost:8080 was refused - did you specify the right host or port? [anna@k8s ~]$ mc [anna@k8s .kube]$ ll razem 4 -rw------- 1 anna anna 1002 02-13 09:10 config [anna@k8s .kube]$ cd .. [anna@k8s ~]$ ll razem 12 -rw-r--r-- 1 root root 1005 02-13 08:49 anna.crt -rw-rw-r-- 1 anna anna 903 02-13 02:41 anna.csr -rw------- 1 anna anna 1675 02-13 02:37 anna.key [anna@k8s ~]$ pwd /home/anna |
Step 8: Create a View-only Role
-
su - studentvim students-role.yamlvim rolebindstudents.yamlkubectl apply -f students-role.yamlkubectl apply -f rolebindstudents.yaml
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
[anna@k8s ~]$ sudo -i [root@k8s ~]# mc [root@k8s ~]# [root@k8s ~]# cd cka [root@k8s cka]# cat students-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: students rules: - apiGroups: ["", "extensions", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["list", "get", "watch"] [root@k8s cka]# cat rolebindstudent.yaml cat: rolebindstudent.yaml: Nie ma takiego pliku ani katalogu [root@k8s cka]# cat rolebindstudents.yaml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: students-role-binding namespace: default subjects: - kind: User name: anna apiGroup: "" roleRef: kind: Role name: students apiGroup: "" [root@k8s cka]# kubectl apply -f students-role.yaml role.rbac.authorization.k8s.io/students created [root@k8s cka]# kubectl apply -f rolebindstudents.yaml rolebinding.rbac.authorization.k8s.io/students-role-binding created [root@k8s cka]# [root@k8s cka]# su - anna [anna@k8s ~]$ kubectl get pods - default |
Lab: Managing Security
- Create a Role that allows for viewing of pods in the default namespace
- Configure a RoleBinding that allows all authenticated users to use this role
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 |
[root@k8s cka]# kubectl create role -h Create a role with single rule. Examples: # Create a role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods # Create a role named "pod-reader" with ResourceName specified kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod # Create a role named "foo" with API Group specified kubectl create role foo --verb=get,list,watch --resource=rs.apps # Create a role named "foo" with SubResource specified kubectl create role foo --verb=get,list,watch --resource=pods,pods/status Options: --allow-missing-template-keys=true: If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --dry-run='none': Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. --field-manager='kubectl-create': Name of the manager used to track field ownership. -o, --output='': Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). --resource=[]: Resource that the rule applies to --resource-name=[]: Resource in the white list that the rule applies to, repeat this flag for multiple items --save-config=false: If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. --show-managed-fields=false: If true, keep the managedFields when printing objects in JSON or YAML format. --template='': Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. --validate='strict': Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. --verb=[]: Verb that applies to the resources contained in the rule Usage: kubectl create role NAME --verb=verb --resource=resource.group/subresource [--resource-name=resourcename] [--dry-run=server|client|none] [options] Use "kubectl options" for a list of global command-line options (applies to all commands). [root@k8s cka]# [root@k8s cka]# [root@k8s cka]# [root@k8s cka]# [root@k8s cka]# [root@k8s cka]# kubectl create role defaultpodviewer --verb=get --verb=list --verb=watch --resource=pods -n default role.rbac.authorization.k8s.io/defaultpodviewer created [root@k8s cka]# kubectl clusterrolebindings error: unknown command "clusterrolebindings" for "kubectl" [root@k8s cka]# kubectl get clusterrolebindings NAME ROLE AGE cluster-admin ClusterRole/cluster-admin 13d ingress-nginx ClusterRole/ingress-nginx 11d kubeadm:get-nodes ClusterRole/kubeadm:get-nodes 13d kubeadm:kubelet-bootstrap ClusterRole/system:node-bootstrapper 13d kubeadm:node-autoapprove-bootstrap ClusterRole/system:certificates.k8s.io:certificatesigningrequests:nodeclient 13d kubeadm:node-autoapprove-certificate-rotation ClusterRole/system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 13d kubeadm:node-proxier ClusterRole/system:node-proxier 13d kubernetes-dashboard ClusterRole/cluster-admin 11d metrics-server:system:auth-delegator ClusterRole/system:auth-delegator 9d minikube-rbac ClusterRole/cluster-admin 13d storage-provisioner ClusterRole/system:persistent-volume-provisioner 13d system:basic-user ClusterRole/system:basic-user 13d system:controller:attachdetach-controller ClusterRole/system:controller:attachdetach-controller 13d system:controller:certificate-controller ClusterRole/system:controller:certificate-controller 13d system:controller:clusterrole-aggregation-controller ClusterRole/system:controller:clusterrole-aggregation-controller 13d system:controller:cronjob-controller ClusterRole/system:controller:cronjob-controller 13d system:controller:daemon-set-controller ClusterRole/system:controller:daemon-set-controller 13d system:controller:deployment-controller ClusterRole/system:controller:deployment-controller 13d system:controller:disruption-controller ClusterRole/system:controller:disruption-controller 13d system:controller:endpoint-controller ClusterRole/system:controller:endpoint-controller 13d system:controller:endpointslice-controller ClusterRole/system:controller:endpointslice-controller 13d system:controller:endpointslicemirroring-controller ClusterRole/system:controller:endpointslicemirroring-controller 13d system:controller:ephemeral-volume-controller ClusterRole/system:controller:ephemeral-volume-controller 13d system:controller:expand-controller ClusterRole/system:controller:expand-controller 13d system:controller:generic-garbage-collector ClusterRole/system:controller:generic-garbage-collector 13d system:controller:horizontal-pod-autoscaler ClusterRole/system:controller:horizontal-pod-autoscaler 13d system:controller:job-controller ClusterRole/system:controller:job-controller 13d system:controller:namespace-controller ClusterRole/system:controller:namespace-controller 13d system:controller:node-controller ClusterRole/system:controller:node-controller 13d system:controller:persistent-volume-binder ClusterRole/system:controller:persistent-volume-binder 13d system:controller:pod-garbage-collector ClusterRole/system:controller:pod-garbage-collector 13d system:controller:pv-protection-controller ClusterRole/system:controller:pv-protection-controller 13d system:controller:pvc-protection-controller ClusterRole/system:controller:pvc-protection-controller 13d system:controller:replicaset-controller ClusterRole/system:controller:replicaset-controller 13d system:controller:replication-controller ClusterRole/system:controller:replication-controller 13d system:controller:resourcequota-controller ClusterRole/system:controller:resourcequota-controller 13d system:controller:root-ca-cert-publisher ClusterRole/system:controller:root-ca-cert-publisher 13d system:controller:route-controller ClusterRole/system:controller:route-controller 13d system:controller:service-account-controller ClusterRole/system:controller:service-account-controller 13d system:controller:service-controller ClusterRole/system:controller:service-controller 13d system:controller:statefulset-controller ClusterRole/system:controller:statefulset-controller 13d system:controller:ttl-after-finished-controller ClusterRole/system:controller:ttl-after-finished-controller 13d system:controller:ttl-controller ClusterRole/system:controller:ttl-controller 13d system:coredns ClusterRole/system:coredns 13d system:discovery ClusterRole/system:discovery 13d system:kube-controller-manager ClusterRole/system:kube-controller-manager 13d system:kube-dns ClusterRole/system:kube-dns 13d system:kube-scheduler ClusterRole/system:kube-scheduler 13d system:metrics-server ClusterRole/system:metrics-server 9d system:monitoring ClusterRole/system:monitoring 13d system:node ClusterRole/system:node 13d system:node-proxier ClusterRole/system:node-proxier 13d system:public-info-viewer ClusterRole/system:public-info-viewer 13d system:service-account-issuer-discovery ClusterRole/system:service-account-issuer-discovery 13d system:volume-scheduler ClusterRole/system:volume-scheduler 13d [root@k8s cka]# [root@k8s cka]# kubectl get pods --as system:basic-user Error from server (Forbidden): pods is forbidden: User "system:basic-user" cannot list resource "pods" in API group "" in the namespace "default" [root@k8s cka]# kubectl create rolebinding defaultpodviewer --role=defaultpodviewer --user=system:basic-user -n default rolebinding.rbac.authorization.k8s.io/defaultpodviewer created [root@k8s cka]# [root@k8s cka]# kubectl get pods --as system:basic-user NAME READY STATUS RESTARTS AGE busybox-6fc6c44c5b-xmmxd 1/1 Running 146 (32m ago) 6d9h deploydaemon-zzllp 1/1 Running 0 11d firstnginx-d8679d567-249g9 1/1 Running 0 13d firstnginx-d8679d567-66c4s 1/1 Running 0 13d firstnginx-d8679d567-72qbd 1/1 Running 0 13d firstnginx-d8679d567-rhhlz 1/1 Running 0 12d lab4-pod 1/1 Running 0 11d morevol 2/2 Running 554 (7m19s ago) 11d mydaemon-z7g9c 1/1 Running 0 6d7h mypod 1/1 Running 21 (32m ago) 27h mysapod 1/1 Running 21 (7m6s ago) 27h mystaticpod-k8s.netico.pl 1/1 Running 0 9d nginx-taint-68bd5db674-7skqs 1/1 Running 0 7d10h nginx-taint-68bd5db674-vjq89 1/1 Running 0 7d10h nginx-taint-68bd5db674-vqz2z 1/1 Running 0 7d10h nginxsvc-5f8b7d4f4d-dtrs7 1/1 Running 0 11d pv-pod 1/1 Running 0 11d security-context-demo 1/1 Running 117 (9m13s ago) 5d3h sleepybox1 1/1 Running 143 (8m36s ago) 6d5h sleepybox2 1/1 Running 143 (8m34s ago) 6d5h webserver-76d44586d-8gqhf 1/1 Running 0 11d webshop-7f9fd49d4c-92nj2 1/1 Running 0 11d webshop-7f9fd49d4c-kqllw 1/1 Running 0 11d webshop-7f9fd49d4c-x2czc 1/1 Running 0 11d |