<\/p>\n
SecurityContext<\/span><\/p>\n A SecurityContext defines privilege and access control settings for Pods or Setting SecurityContext<\/span><\/p>\n <\/p>\n Kubernetes Users<\/span><\/p>\n <\/p>\n Configuring Roles<\/span><\/p>\n <\/p>\n Creating RoleBindings<\/span><\/p>\n <\/p>\n Creating ServiceAccounts<\/span><\/p>\n Configuring ServiceAccounts<\/span><\/p>\n 1. Create a Pod, using the standard ServiceAccount: 2. Use 3. Access the Pod using 1. 4. Use the Default ServiceAccount token and try again:<\/p>\n 1. 5. Try the same, but this time to list Pods – it will fail:<\/p>\n 1. Configuring ServiceAccounts<\/span><\/p>\n 1. Create a ServiceAccount: 2. Define a role that allows to list all Pods in the default NameSpace: 3. Define a RoleBinding that binds the mysa to the Role just created: 4. Create a Pod that uses the mysa SA to access this Role: 5. Access the Pod, use the mysa ServiceAccount token and try again:<\/p>\n 1. 6. Try the same, but this time to list Pods:<\/p>\n 1. We see above very simple mysa ServiceAccount definition and very simple role list-pods. This role is providing access to list pods.<\/p>\n The namespace of role binding is default. The subject is SA mysa and namespace default.<\/p>\n <\/p>\n ClusterRoles<\/span><\/p>\n <\/p>\n User Accounts<\/span><\/p>\n Creating User Accounts<\/span><\/p>\n Step 1: Create a user working environment<\/p>\n Step 2: Create the User account<\/p>\n Step 3: Update the Kubernetes Credentials Files for the new user<\/p>\n Step 4: Create a Default Context for the new user<\/p>\n Step 5: Configure RBAC to define a staff role<\/p>\n Step 6: Bind a user to the new role<\/p>\n Step 7: Test it<\/p>\n Step 8: Create a View-only Role<\/p>\n Lab: Managing Security<\/span><\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":5939,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[99,49],"tags":[],"_links":{"self":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/5428"}],"collection":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/comments?post=5428"}],"version-history":[{"count":37,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/5428\/revisions"}],"predecessor-version":[{"id":5471,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/5428\/revisions\/5471"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/media\/5939"}],"wp:attachment":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/media?parent=5428"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/categories?post=5428"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/tags?post=5428"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\ncontainers and can include the following:<\/p>\n\n
\n
kubectl apply -f security-context.yaml<\/code><\/li>\nkubectl get pod security-context-demo<\/code><\/li>\nkubectl exec -it security-context-demo -- sh<\/code>\n\n
ps <\/code># will show processes running UID 1000<\/li>\ncd \/data; ls -l <\/code># will show fsGroup as owning GID<\/li>\nid<\/code><\/li>\nexit<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\nroot@k8s cka]# kubectl explain pod.spec.securityContext\r\nroot@k8s cka]# kubectl explain pod.spec.containers.securityContext\r\nroot@k8s cka]# cat security-context.yaml\r\napiVersion: v1\r\nkind: Pod\r\nmetadata:\r\n name: security-context-demo\r\nspec:\r\n securityContext:\r\n runAsUser: 1000\r\n runAsGroup: 1000\r\n fsGroup: 2000\r\n volumes:\r\n - name: securevol\r\n emptyDir: {}\r\n containers:\r\n - name: sec-demo\r\n image: busybox\r\n command: [\"sh\", \"-c\", \"sleep 3600\"]\r\n volumeMounts:\r\n - name: securevol\r\n mountPath: \/data\/demo\r\n securityContext:\r\n allowPrivilegeEscalation: false\r\n\r\nroot@k8s cka]# kubectl apply -f security-context.yaml\r\npod\/security-context-demo created\r\n\r\nroot@k8s cka]# kubectl get pods security-context-demo\r\nNAME READY STATUS RESTARTS AGE\r\nsecurity-context-demo 1\/1 Running 0 6m6s\r\n\r\nroot@k8s cka]# kubectl exec -it security-context-demo -- sh\r\n~ $\r\n~ $ ps\r\nPID USER TIME COMMAND\r\n 1 1000 0:00 sh -c sleep 3600\r\n 7 1000 0:00 sh\r\n 13 1000 0:00 ps\r\n~ $ cd \/data\r\n\/data $ ls\r\ndemo\r\n\/data $ ls -l\r\ntotal 0\r\ndrwxrwsrwx 2 root 2000 6 Feb 8 17:24 demo\r\n\/data $ id\r\nuid=1000 gid=1000 groups=1000,2000\r\n\/data $ cd demo\r\n\/data\/demo $ touch file\r\n\/data\/demo $ ls -l\r\ntotal 0\r\n-rw-r--r-- 1 1000 2000 0 Feb 8 17:31 file\r\n\/data\/demo $ exit\r\n<\/pre>\n\n
\nauthorize<\/li>\n\n
[root@k8s cka]# kubectl get sa\r\nNAME SECRETS AGE\r\ndefault 0 8d\r\n[root@k8s cka]# kubectl get sa default -o yaml\r\napiVersion: v1\r\nkind: ServiceAccount\r\nmetadata:\r\n creationTimestamp: \"2024-01-31T15:03:38Z\"\r\n name: default\r\n namespace: default\r\n resourceVersion: \"303\"\r\n uid: bd177ac9-8df9-4cdb-99e2-ac8acd4727f6\r\n[root@k8s cka]#\r\n[root@k8s cka]# kubectl get sa -A\r\nNAMESPACE NAME SECRETS AGE\r\ndefault default 0 8d\r\ningress-nginx default 0 6d18h\r\ningress-nginx ingress-nginx 0 6d18h\r\nkube-node-lease default 0 8d\r\nkube-public default 0 8d\r\nkube-system attachdetach-controller 0 8d\r\nkube-system bootstrap-signer 0 8d\r\nkube-system certificate-controller 0 8d\r\nkube-system clusterrole-aggregation-controller 0 8d\r\nkube-system coredns 0 8d\r\nkube-system cronjob-controller 0 8d\r\nkube-system daemon-set-controller 0 8d\r\nkube-system default 0 8d\r\nkube-system deployment-controller 0 8d\r\nkube-system disruption-controller 0 8d\r\nkube-system endpoint-controller 0 8d\r\nkube-system endpointslice-controller 0 8d\r\nkube-system endpointslicemirroring-controller 0 8d\r\nkube-system ephemeral-volume-controller 0 8d\r\nkube-system expand-controller 0 8d\r\nkube-system generic-garbage-collector 0 8d\r\nkube-system horizontal-pod-autoscaler 0 8d\r\nkube-system job-controller 0 8d\r\nkube-system kube-proxy 0 8d\r\nkube-system metrics-server 0 4d21h\r\nkube-system namespace-controller 0 8d\r\nkube-system node-controller 0 8d\r\nkube-system persistent-volume-binder 0 8d\r\nkube-system pod-garbage-collector 0 8d\r\nkube-system pv-protection-controller 0 8d\r\nkube-system pvc-protection-controller 0 8d\r\nkube-system replicaset-controller 0 8d\r\nkube-system replication-controller 0 8d\r\nkube-system resourcequota-controller 0 8d\r\nkube-system root-ca-cert-publisher 0 8d\r\nkube-system service-account-controller 0 8d\r\nkube-system service-controller 0 8d\r\nkube-system statefulset-controller 0 8d\r\nkube-system storage-provisioner 0 8d\r\nkube-system token-cleaner 0 8d\r\nkube-system ttl-after-finished-controller 0 8d\r\nkube-system ttl-controller 0 8d\r\nkubernetes-dashboard default 0 7d17h\r\nkubernetes-dashboard kubernetes-dashboard 0 7d17h\r\nlimited default 0 3d\r\nnwp-namespace default 0 2d3h\r\nremote default 0 2d15h\r\nrestricted default 0 46h\r\n<\/pre>\n
\n
\nresources in that Namespace<\/li>\nkubectl create role<\/code> to create roles<\/li>\n<\/ul>\n[root@k8s cka]# kubectl create role -h\r\n[root@k8s cka]# kubectl get roles -A\r\nNAMESPACE NAME CREATED AT\r\ningress-nginx ingress-nginx 2024-02-02T20:09:01Z\r\nkube-public kubeadm:bootstrap-signer-clusterinfo 2024-01-31T15:03:26Z\r\nkube-public system:controller:bootstrap-signer 2024-01-31T15:03:25Z\r\nkube-system extension-apiserver-authentication-reader 2024-01-31T15:03:25Z\r\nkube-system kube-proxy 2024-01-31T15:03:27Z\r\nkube-system kubeadm:kubelet-config 2024-01-31T15:03:25Z\r\nkube-system kubeadm:nodes-kubeadm-config 2024-01-31T15:03:25Z\r\nkube-system system::leader-locking-kube-controller-manager 2024-01-31T15:03:25Z\r\nkube-system system::leader-locking-kube-scheduler 2024-01-31T15:03:25Z\r\nkube-system system:controller:bootstrap-signer 2024-01-31T15:03:25Z\r\nkube-system system:controller:cloud-provider 2024-01-31T15:03:25Z\r\nkube-system system:controller:token-cleaner 2024-01-31T15:03:25Z\r\nkube-system system:persistent-volume-provisioner 2024-01-31T15:03:28Z\r\nkubernetes-dashboard kubernetes-dashboard 2024-02-01T20:36:25Z\r\n<\/pre>\n
\n
kubectl create rolebinding<\/code> to create it<\/li>\n<\/ul>\n[root@k8s cka]# kubectl get rolebinding\r\nNo resources found in default namespace.\r\n\r\n[root@k8s cka]# kubectl get rolebinding -A\r\nNAMESPACE NAME ROLE AGE\r\ningress-nginx ingress-nginx Role\/ingress-nginx 9d\r\nkube-public kubeadm:bootstrap-signer-clusterinfo Role\/kubeadm:bootstrap-signer-clusterinfo 12d\r\nkube-public system:controller:bootstrap-signer Role\/system:controller:bootstrap-signer 12d\r\nkube-system kube-proxy Role\/kube-proxy 12d\r\nkube-system kubeadm:kubelet-config Role\/kubeadm:kubelet-config 12d\r\nkube-system kubeadm:nodes-kubeadm-config Role\/kubeadm:nodes-kubeadm-config 12d\r\nkube-system metrics-server-auth-reader Role\/extension-apiserver-authentication-reader 8d\r\nkube-system system::extension-apiserver-authentication-reader Role\/extension-apiserver-authentication-reader 12d\r\nkube-system system::leader-locking-kube-controller-manager Role\/system::leader-locking-kube-controller-manager 12d\r\nkube-system system::leader-locking-kube-scheduler Role\/system::leader-locking-kube-scheduler 12d\r\nkube-system system:controller:bootstrap-signer Role\/system:controller:bootstrap-signer 12d\r\nkube-system system:controller:cloud-provider Role\/system:controller:cloud-provider 12d\r\nkube-system system:controller:token-cleaner Role\/system:controller:token-cleaner 12d\r\nkube-system system:persistent-volume-provisioner Role\/system:persistent-volume-provisioner 12d\r\nkubernetes-dashboard kubernetes-dashboard Role\/kubernetes-dashboard 10d\r\n\r\n[root@k8s cka]# kubectl get rolebindings.rbac.authorization.k8s.io -n ingress-nginx ingress-nginx -o yaml\r\napiVersion: rbac.authorization.k8s.io\/v1\r\nkind: RoleBinding\r\nmetadata:\r\n annotations:\r\n meta.helm.sh\/release-name: ingress-nginx\r\n meta.helm.sh\/release-namespace: ingress-nginx\r\n creationTimestamp: \"2024-02-02T20:09:01Z\"\r\n labels:\r\n app.kubernetes.io\/component: controller\r\n app.kubernetes.io\/instance: ingress-nginx\r\n app.kubernetes.io\/managed-by: Helm\r\n app.kubernetes.io\/name: ingress-nginx\r\n app.kubernetes.io\/part-of: ingress-nginx\r\n app.kubernetes.io\/version: 1.9.6\r\n helm.sh\/chart: ingress-nginx-4.9.1\r\n name: ingress-nginx\r\n namespace: ingress-nginx\r\n resourceVersion: \"98215\"\r\n uid: 8d8de8c1-91ff-41e0-893d-990220b4beac\r\nroleRef:\r\n apiGroup: rbac.authorization.k8s.io\r\n kind: Role\r\n name: ingress-nginx\r\nsubjects:\r\n- kind: ServiceAccount\r\n name: ingress-nginx\r\n namespace: ingress-nginx\r\n\r\n[root@k8s cka]# kubectl create rolebinding -h\r\n<\/pre>\n
\n
kubectl apply -f<\/code>
\nmypod.yaml<\/code><\/p>\nkubectl get pods mypod -o yaml<\/code> to check current SA configuration<\/p>\nkubectl exec -it mypod -- sh<\/code>, try to list Pods using curl on the API:<\/p>\napk add --update curl<\/code>
\n2. curl https:\/\/kubernetes\/api\/v1 --insecure<\/code>\u00a0 # will be forbidden<\/p>\nTOKEN=$(cat \/run\/secrets\/kubernetes.io\/serviceaccount\/token)<\/code>
\n2. curl -H \"Authorization: Bearer $TOKEN\" https:\/\/kubernetes\/api\/v1\/ --insecure<\/code><\/p>\ncurl -H \"Authorization: Bearer $TOKEN\"<\/code>https:\/\/kubernetes\/api\/v1\/namespaces\/default\/pods\/ --insecure<\/code><\/p>\n[root@k8s cka]# cat mypod.yaml\r\napiVersion: v1\r\nkind: Pod\r\nmetadata:\r\n name: mypod\r\nspec:\r\n containers:\r\n - name: alpine\r\n image: alpine:3.9\r\n command:\r\n - \"sleep\"\r\n - \"3600\"\r\n\r\n[root@k8s cka]# kubectl apply -f mypod.yaml\r\npod\/mypod created\r\n\r\n[root@k8s cka]# kubectl get pods mypod -o yaml\r\napiVersion: v1\r\nkind: Pod\r\nmetadata:\r\n annotations:\r\n kubectl.kubernetes.io\/last-applied-configuration: |\r\n {\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"mypod\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"command\":[\"sleep\",\"3600\"],\"image\":\"alpine:3.9\",\"name\":\"alpine\"}]}}\r\n creationTimestamp: \"2024-02-12T17:04:50Z\"\r\n name: mypod\r\n namespace: default\r\n resourceVersion: \"918974\"\r\n uid: a0c27f53-40fb-471f-9e19-535142daee9c\r\nspec:\r\n containers:\r\n - command:\r\n - sleep\r\n - \"3600\"\r\n image: alpine:3.9\r\n imagePullPolicy: IfNotPresent\r\n name: alpine\r\n resources: {}\r\n terminationMessagePath: \/dev\/termination-log\r\n terminationMessagePolicy: File\r\n volumeMounts:\r\n - mountPath: \/var\/run\/secrets\/kubernetes.io\/serviceaccount\r\n name: kube-api-access-g57bc\r\n readOnly: true\r\n dnsPolicy: ClusterFirst\r\n enableServiceLinks: true\r\n nodeName: k8s.netico.pl\r\n preemptionPolicy: PreemptLowerPriority\r\n priority: 0\r\n restartPolicy: Always\r\n schedulerName: default-scheduler\r\n securityContext: {}\r\n serviceAccount: default\r\n serviceAccountName: default\r\n terminationGracePeriodSeconds: 30\r\n tolerations:\r\n - effect: NoExecute\r\n key: node.kubernetes.io\/not-ready\r\n operator: Exists\r\n tolerationSeconds: 300\r\n - effect: NoExecute\r\n key: node.kubernetes.io\/unreachable\r\n operator: Exists\r\n tolerationSeconds: 300\r\n volumes:\r\n - name: kube-api-access-g57bc\r\n projected:\r\n defaultMode: 420\r\n sources:\r\n - serviceAccountToken:\r\n expirationSeconds: 3607\r\n path: token\r\n - configMap:\r\n items:\r\n - key: ca.crt\r\n path: ca.crt\r\n name: kube-root-ca.crt\r\n - downwardAPI:\r\n items:\r\n - fieldRef:\r\n apiVersion: v1\r\n fieldPath: metadata.namespace\r\n path: namespace\r\nstatus:\r\n conditions:\r\n - lastProbeTime: null\r\n lastTransitionTime: \"2024-02-12T17:04:50Z\"\r\n status: \"True\"\r\n type: Initialized\r\n - lastProbeTime: null\r\n lastTransitionTime: \"2024-02-12T17:04:55Z\"\r\n status: \"True\"\r\n type: Ready\r\n - lastProbeTime: null\r\n lastTransitionTime: \"2024-02-12T17:04:55Z\"\r\n status: \"True\"\r\n type: ContainersReady\r\n - lastProbeTime: null\r\n lastTransitionTime: \"2024-02-12T17:04:50Z\"\r\n status: \"True\"\r\n type: PodScheduled\r\n containerStatuses:\r\n - containerID: docker:\/\/1f205198c18df3a38ebdc53a210a0829baf7b84df586ded25e3c0212700dd219\r\n image: alpine:3.9\r\n imageID: docker-pullable:\/\/alpine@sha256:414e0518bb9228d35e4cd5165567fb91d26c6a214e9c95899e1e056fcd349011\r\n lastState: {}\r\n name: alpine\r\n ready: true\r\n restartCount: 0\r\n started: true\r\n state:\r\n running:\r\n startedAt: \"2024-02-12T17:04:54Z\"\r\n hostIP: 172.30.9.24\r\n phase: Running\r\n podIP: 10.244.0.88\r\n podIPs:\r\n - ip: 10.244.0.88\r\n qosClass: BestEffort\r\n startTime: \"2024-02-12T17:04:50Z\"\r\n\r\n[root@k8s cka]# kubectl exec -it mypod -- sh\r\n\/ # apk add --update curl\r\nfetch http:\/\/dl-cdn.alpinelinux.org\/alpine\/v3.9\/main\/x86_64\/APKINDEX.tar.gz\r\nERROR: http:\/\/dl-cdn.alpinelinux.org\/alpine\/v3.9\/main: temporary error (try again later)\r\nWARNING: Ignoring APKINDEX.b89edf6e.tar.gz: No such file or directory\r\nfetch http:\/\/dl-cdn.alpinelinux.org\/alpine\/v3.9\/community\/x86_64\/APKINDEX.tar.gz\r\nERROR: http:\/\/dl-cdn.alpinelinux.org\/alpine\/v3.9\/community: temporary error (try again later)\r\nWARNING: Ignoring APKINDEX.737f7e01.tar.gz: No such file or directory\r\nERROR: unsatisfiable constraints:\r\n curl (missing):\r\n required by: world[curl]\r\n\/ # curl https:\/\/kubernetes\/api\/v1 --insecure\r\nsh: curl: not found\r\n\/ # TOKEN=$(cat \/run\/secrets\/kubernetes.io\/serviceaccount\/token)\r\n\/ # curl -H \"Authorization: Bearer $TOKEN\" https:\/\/kubernetes\/api\/v1\/ --insecure\r\n\/ # curl -H \"Authorization: Bearer $TOKEN\"https:\/\/kubernetes\/api\/v1\/namespaces\/default\/pods\/ --insecure\r\nsh: curl: not found\r\n\/ # exit\r\ncommand terminated with exit code 127\r\n<\/pre>\n kubectl apply -f mysa.yaml<\/code><\/p>\nkubectl apply -f list-pods.yaml<\/code><\/p>\nkubectl apply -f list-pods-mysa-binding.yaml<\/code><\/p>\nkubectl apply -f mysapod.yaml<\/code><\/p>\napk add --update curl<\/code>
\n2. TOKEN=$(cat \/run\/secrets\/kubernetes.io\/serviceaccount\/token)<\/code>
\n3. curl -H \"Authorization: Bearer $TOKEN\" https:\/\/kubernetes\/api\/v1\/ --insecure<\/code><\/p>\ncurl -H \"Authorization: Bearer $TOKEN\"<\/code>https:\/\/kubernetes\/api\/v1\/namespaces\/default\/pods\/ --insecure<\/code><\/p>\n[root@k8s cka]# cat mysa.yaml\r\napiVersion: v1\r\nkind: ServiceAccount\r\nmetadata:\r\n name: mysa\r\n\r\n[root@k8s cka]# kubectl apply -f mysa.yaml\r\nserviceaccount\/mysa created\r\n[root@k8s cka]# cat list-pods.yaml\r\napiVersion: rbac.authorization.k8s.io\/v1\r\nkind: Role\r\nmetadata:\r\n name: list-pods\r\n namespace: default\r\nrules:\r\n - apiGroups:\r\n - ''\r\n resources:\r\n - pods\r\n verbs:\r\n - list\r\n<\/pre>\n
[root@k8s cka]# kubectl apply -f list-pods.yaml\r\nrole.rbac.authorization.k8s.io\/list-pods created\r\n\r\n[root@k8s cka]# cat list-pods-mysa-binding.yaml\r\napiVersion: rbac.authorization.k8s.io\/v1\r\nkind: RoleBinding\r\nmetadata:\r\n name: list-pods-mysa-binding\r\n namespace: default\r\nroleRef:\r\n kind: Role\r\n name: list-pods\r\n apiGroup: rbac.authorization.k8s.io\r\nsubjects:\r\n - kind: ServiceAccount\r\n name: mysa\r\n namespace: default\r\n<\/pre>\n
[root@k8s cka]# kubectl apply -f list-pods-mysa-binding.yaml\r\nrolebinding.rbac.authorization.k8s.io\/list-pods-mysa-binding created\r\n\r\n[root@k8s cka]# cat mysapod.yaml\r\napiVersion: v1\r\nkind: Pod\r\nmetadata:\r\n name: mysapod\r\nspec:\r\n serviceAccountName: mysa\r\n containers:\r\n - name: alpine\r\n image: alpine:3.9\r\n command:\r\n - \"sleep\"\r\n - \"3600\"\r\n\r\n[root@k8s cka]# kubectl apply -f mysapod.yaml\r\npod\/mysapod created\r\n\r\n[root@k8s cka]# kubectl exec -it mysapod -- sh\r\n\/ # apk add --update curl\r\nfetch http:\/\/dl-cdn.alpinelinux.org\/alpine\/v3.9\/main\/x86_64\/APKINDEX.tar.gz\r\nERROR: http:\/\/dl-cdn.alpinelinux.org\/alpine\/v3.9\/main: temporary error (try again later)\r\nWARNING: Ignoring APKINDEX.b89edf6e.tar.gz: No such file or directory\r\nfetch http:\/\/dl-cdn.alpinelinux.org\/alpine\/v3.9\/community\/x86_64\/APKINDEX.tar.gz\r\nERROR: http:\/\/dl-cdn.alpinelinux.org\/alpine\/v3.9\/community: temporary error (try again later)\r\nWARNING: Ignoring APKINDEX.737f7e01.tar.gz: No such file or directory\r\nERROR: unsatisfiable constraints:\r\n curl (missing):\r\n required by: world[curl]\r\n\/ # TOKEN=$(cat \/run\/secrets\/kubernetes.io\/serviceaccount\/token)\r\n\/ # curl-H \"Authorization: Bearer $TOKEN\" https:\/\/kubernetes\/api\/v1\/ --insecure\r\nsh: curl-H: not found\r\n\/ # curl -H \"Authorization: Bearer $TOKEN\" https:\/\/kubernetes\/api\/v1\/ --insecure\r\nsh: curl: not found\r\n\/ # curl -H \"Authorization: Bearer $TOKEN\"\r\nsh: curl: not found\r\n\/ # https:\/\/kubernetes\/api\/v1\/namespaces\/default\/pods\/ --insecure\r\nsh: https:\/\/kubernetes\/api\/v1\/namespaces\/default\/pods\/: not found\r\n\/ # curl -H \"Authorization: Bearer $TOKEN\"https:\/\/kubernetes\/api\/v1\/namespaces\/default\/pods\/ --insecure\r\nsh: curl: not found\r\n<\/pre>\n
\n
[root@k8s cka]# kubectl get clusterrole\r\nNAME CREATED AT\r\nadmin 2024-01-31T15:03:24Z\r\ncluster-admin 2024-01-31T15:03:24Z\r\nedit 2024-01-31T15:03:24Z\r\ningress-nginx 2024-02-02T20:09:01Z\r\nkubeadm:get-nodes 2024-01-31T15:03:26Z\r\nkubernetes-dashboard 2024-02-01T20:36:25Z\r\nsystem:aggregate-to-admin 2024-01-31T15:03:24Z\r\nsystem:aggregate-to-edit 2024-01-31T15:03:24Z\r\nsystem:aggregate-to-view 2024-01-31T15:03:24Z\r\nsystem:aggregated-metrics-reader 2024-02-04T16:24:05Z\r\nsystem:auth-delegator 2024-01-31T15:03:24Z\r\nsystem:basic-user 2024-01-31T15:03:24Z\r\nsystem:certificates.k8s.io:certificatesigningrequests:nodeclient 2024-01-31T15:03:24Z\r\nsystem:certificates.k8s.io:certificatesigningrequests:selfnodeclient 2024-01-31T15:03:24Z\r\nsystem:certificates.k8s.io:kube-apiserver-client-approver 2024-01-31T15:03:24Z\r\nsystem:certificates.k8s.io:kube-apiserver-client-kubelet-approver 2024-01-31T15:03:24Z\r\nsystem:certificates.k8s.io:kubelet-serving-approver 2024-01-31T15:03:24Z\r\nsystem:certificates.k8s.io:legacy-unknown-approver 2024-01-31T15:03:24Z\r\nsystem:controller:attachdetach-controller 2024-01-31T15:03:24Z\r\nsystem:controller:certificate-controller 2024-01-31T15:03:24Z\r\nsystem:controller:clusterrole-aggregation-controller 2024-01-31T15:03:24Z\r\nsystem:controller:cronjob-controller 2024-01-31T15:03:24Z\r\nsystem:controller:daemon-set-controller 2024-01-31T15:03:24Z\r\nsystem:controller:deployment-controller 2024-01-31T15:03:24Z\r\nsystem:controller:disruption-controller 2024-01-31T15:03:24Z\r\nsystem:controller:endpoint-controller 2024-01-31T15:03:24Z\r\nsystem:controller:endpointslice-controller 2024-01-31T15:03:24Z\r\nsystem:controller:endpointslicemirroring-controller 2024-01-31T15:03:24Z\r\nsystem:controller:ephemeral-volume-controller 2024-01-31T15:03:24Z\r\nsystem:controller:expand-controller 2024-01-31T15:03:24Z\r\nsystem:controller:generic-garbage-collector 2024-01-31T15:03:24Z\r\nsystem:controller:horizontal-pod-autoscaler 2024-01-31T15:03:24Z\r\nsystem:controller:job-controller 2024-01-31T15:03:24Z\r\nsystem:controller:namespace-controller 2024-01-31T15:03:24Z\r\nsystem:controller:node-controller 2024-01-31T15:03:24Z\r\nsystem:controller:persistent-volume-binder 2024-01-31T15:03:24Z\r\nsystem:controller:pod-garbage-collector 2024-01-31T15:03:24Z\r\nsystem:controller:pv-protection-controller 2024-01-31T15:03:24Z\r\nsystem:controller:pvc-protection-controller 2024-01-31T15:03:24Z\r\nsystem:controller:replicaset-controller 2024-01-31T15:03:24Z\r\nsystem:controller:replication-controller 2024-01-31T15:03:24Z\r\nsystem:controller:resourcequota-controller 2024-01-31T15:03:24Z\r\nsystem:controller:root-ca-cert-publisher 2024-01-31T15:03:24Z\r\nsystem:controller:route-controller 2024-01-31T15:03:24Z\r\nsystem:controller:service-account-controller 2024-01-31T15:03:24Z\r\nsystem:controller:service-controller 2024-01-31T15:03:24Z\r\nsystem:controller:statefulset-controller 2024-01-31T15:03:24Z\r\nsystem:controller:ttl-after-finished-controller 2024-01-31T15:03:24Z\r\nsystem:controller:ttl-controller 2024-01-31T15:03:24Z\r\nsystem:coredns 2024-01-31T15:03:27Z\r\nsystem:discovery 2024-01-31T15:03:24Z\r\nsystem:heapster 2024-01-31T15:03:24Z\r\nsystem:kube-aggregator 2024-01-31T15:03:24Z\r\nsystem:kube-controller-manager 2024-01-31T15:03:24Z\r\nsystem:kube-dns 2024-01-31T15:03:24Z\r\nsystem:kube-scheduler 2024-01-31T15:03:24Z\r\nsystem:kubelet-api-admin 2024-01-31T15:03:24Z\r\nsystem:metrics-server 2024-02-04T16:24:05Z\r\nsystem:monitoring 2024-01-31T15:03:24Z\r\nsystem:node 2024-01-31T15:03:24Z\r\nsystem:node-bootstrapper 2024-01-31T15:03:24Z\r\nsystem:node-problem-detector 2024-01-31T15:03:24Z\r\nsystem:node-proxier 2024-01-31T15:03:24Z\r\nsystem:persistent-volume-provisioner 2024-01-31T15:03:24Z\r\nsystem:public-info-viewer 2024-01-31T15:03:24Z\r\nsystem:service-account-issuer-discovery 2024-01-31T15:03:24Z\r\nsystem:volume-scheduler 2024-01-31T15:03:24Z\r\nview 2024-01-31T15:03:24Z\r\n\r\n[root@k8s cka]# kubectl get clusterrole edit -o yaml | more\r\naggregationRule:\r\n clusterRoleSelectors:\r\n - matchLabels:\r\n rbac.authorization.k8s.io\/aggregate-to-edit: \"true\"\r\napiVersion: rbac.authorization.k8s.io\/v1\r\nkind: ClusterRole\r\nmetadata:\r\n annotations:\r\n rbac.authorization.kubernetes.io\/autoupdate: \"true\"\r\n creationTimestamp: \"2024-01-31T15:03:24Z\"\r\n labels:\r\n kubernetes.io\/bootstrapping: rbac-defaults\r\n rbac.authorization.k8s.io\/aggregate-to-admin: \"true\"\r\n name: edit\r\n resourceVersion: \"252703\"\r\n uid: ecbd635d-93c8-409a-b3bb-ed6f3fa91cba\r\nrules:\r\n- apiGroups:\r\n - \"\"\r\n resources:\r\n - pods\/attach\r\n - pods\/exec\r\n - pods\/portforward\r\n - pods\/proxy\r\n - secrets\r\n - services\/proxy\r\n verbs:\r\n - get\r\n - list\r\n - watch\r\n- apiGroups:\r\n - \"\"\r\n resources:\r\n - serviceaccounts\r\n verbs:\r\n - impersonate\r\n- apiGroups:\r\n - \"\"\r\n resources:\r\n - pods\r\n - pods\/attach\r\n - pods\/exec\r\n - pods\/portforward\r\n - pods\/proxy\r\n verbs:\r\n - create\r\n - delete\r\n - deletecollection\r\n - patch\r\n - update\r\n- apiGroups:\r\n - \"\"\r\n\r\n[root@k8s cka]# kubectl get clusterrolebindings\r\nNAME ROLE AGE\r\ncluster-admin ClusterRole\/cluster-admin 12d\r\ningress-nginx ClusterRole\/ingress-nginx 10d\r\nkubeadm:get-nodes ClusterRole\/kubeadm:get-nodes 12d\r\nkubeadm:kubelet-bootstrap ClusterRole\/system:node-bootstrapper 12d\r\nkubeadm:node-autoapprove-bootstrap ClusterRole\/system:certificates.k8s.io:certificatesigningrequests:nodeclien t 12d\r\nkubeadm:node-autoapprove-certificate-rotation ClusterRole\/system:certificates.k8s.io:certificatesigningrequests:selfnodec lient 12d\r\nkubeadm:node-proxier ClusterRole\/system:node-proxier 12d\r\nkubernetes-dashboard ClusterRole\/cluster-admin 11d\r\nmetrics-server:system:auth-delegator ClusterRole\/system:auth-delegator 8d\r\nminikube-rbac ClusterRole\/cluster-admin 12d\r\nstorage-provisioner ClusterRole\/system:persistent-volume-provisioner 12d\r\nsystem:basic-user ClusterRole\/system:basic-user 12d\r\nsystem:controller:attachdetach-controller ClusterRole\/system:controller:attachdetach-controller 12d\r\nsystem:controller:certificate-controller ClusterRole\/system:controller:certificate-controller 12d\r\nsystem:controller:clusterrole-aggregation-controller ClusterRole\/system:controller:clusterrole-aggregation-controller 12d\r\nsystem:controller:cronjob-controller ClusterRole\/system:controller:cronjob-controller 12d\r\nsystem:controller:daemon-set-controller ClusterRole\/system:controller:daemon-set-controller 12d\r\nsystem:controller:deployment-controller ClusterRole\/system:controller:deployment-controller 12d\r\nsystem:controller:disruption-controller ClusterRole\/system:controller:disruption-controller 12d\r\nsystem:controller:endpoint-controller ClusterRole\/system:controller:endpoint-controller 12d\r\nsystem:controller:endpointslice-controller ClusterRole\/system:controller:endpointslice-controller 12d\r\nsystem:controller:endpointslicemirroring-controller ClusterRole\/system:controller:endpointslicemirroring-controller 12d\r\nsystem:controller:ephemeral-volume-controller ClusterRole\/system:controller:ephemeral-volume-controller 12d\r\nsystem:controller:expand-controller ClusterRole\/system:controller:expand-controller 12d\r\nsystem:controller:generic-garbage-collector ClusterRole\/system:controller:generic-garbage-collector 12d\r\nsystem:controller:horizontal-pod-autoscaler ClusterRole\/system:controller:horizontal-pod-autoscaler 12d\r\nsystem:controller:job-controller ClusterRole\/system:controller:job-controller 12d\r\nsystem:controller:namespace-controller ClusterRole\/system:controller:namespace-controller 12d\r\nsystem:controller:node-controller ClusterRole\/system:controller:node-controller 12d\r\nsystem:controller:persistent-volume-binder ClusterRole\/system:controller:persistent-volume-binder 12d\r\nsystem:controller:pod-garbage-collector ClusterRole\/system:controller:pod-garbage-collector 12d\r\nsystem:controller:pv-protection-controller ClusterRole\/system:controller:pv-protection-controller 12d\r\nsystem:controller:pvc-protection-controller ClusterRole\/system:controller:pvc-protection-controller 12d\r\nsystem:controller:replicaset-controller ClusterRole\/system:controller:replicaset-controller 12d\r\nsystem:controller:replication-controller ClusterRole\/system:controller:replication-controller 12d\r\nsystem:controller:resourcequota-controller ClusterRole\/system:controller:resourcequota-controller 12d\r\nsystem:controller:root-ca-cert-publisher ClusterRole\/system:controller:root-ca-cert-publisher 12d\r\nsystem:controller:route-controller ClusterRole\/system:controller:route-controller 12d\r\nsystem:controller:service-account-controller ClusterRole\/system:controller:service-account-controller 12d\r\nsystem:controller:service-controller ClusterRole\/system:controller:service-controller 12d\r\nsystem:controller:statefulset-controller ClusterRole\/system:controller:statefulset-controller 12d\r\nsystem:controller:ttl-after-finished-controller ClusterRole\/system:controller:ttl-after-finished-controller 12d\r\nsystem:controller:ttl-controller ClusterRole\/system:controller:ttl-controller 12d\r\nsystem:coredns ClusterRole\/system:coredns 12d\r\nsystem:discovery ClusterRole\/system:discovery 12d\r\nsystem:kube-controller-manager ClusterRole\/system:kube-controller-manager 12d\r\nsystem:kube-dns ClusterRole\/system:kube-dns 12d\r\nsystem:kube-scheduler ClusterRole\/system:kube-scheduler 12d\r\nsystem:metrics-server ClusterRole\/system:metrics-server 8d\r\nsystem:monitoring ClusterRole\/system:monitoring 12d\r\nsystem:node ClusterRole\/system:node 12d\r\nsystem:node-proxier ClusterRole\/system:node-proxier 12d\r\nsystem:public-info-viewer ClusterRole\/system:public-info-viewer 12d\r\nsystem:service-account-issuer-discovery ClusterRole\/system:service-account-issuer-discovery 12d\r\nsystem:volume-scheduler ClusterRole\/system:volume-scheduler 12d\r\n<\/pre>\n
\n
\n
\n
\n
kubectl create ns students<\/code><\/li>\nkubectl create ns staff<\/code><\/li>\nkubectl config get-contexts<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n[root@k8s cka]# kubectl create ns students\r\nnamespace\/students created\r\n\r\n[root@k8s cka]# kubectl create ns staff\r\nnamespace\/staff created\r\n\r\n[root@k8s cka]# kubectl config get-contexts\r\nCURRENT NAME CLUSTER AUTHINFO NAMESPACE\r\n* minikube minikube minikube default\r\n\r\n[root@k8s cka]# cat ~\/.kube\/config\r\napiVersion: v1\r\nclusters:\r\n- cluster:\r\n certificate-authority: \/root\/.minikube\/ca.crt\r\n extensions:\r\n - extension:\r\n last-update: Thu, 01 Feb 2024 15:18:33 EST\r\n provider: minikube.sigs.k8s.io\r\n version: v1.32.0\r\n name: cluster_info\r\n server: https:\/\/172.30.9.24:8443\r\n name: minikube\r\ncontexts:\r\n- context:\r\n cluster: minikube\r\n extensions:\r\n - extension:\r\n last-update: Thu, 01 Feb 2024 15:18:33 EST\r\n provider: minikube.sigs.k8s.io\r\n version: v1.32.0\r\n name: context_info\r\n namespace: default\r\n user: minikube\r\n name: minikube\r\ncurrent-context: minikube\r\nkind: Config\r\npreferences: {}\r\nusers:\r\n- name: minikube\r\n user:\r\n client-certificate: \/root\/.minikube\/profiles\/minikube\/client.crt\r\n client-key: \/root\/.minikube\/profiles\/minikube\/client.key\r\n<\/pre>\n\n
sudo useradd -m -G sudo -s \/bin\/bash anna<\/code><\/li>\nsudo passwd anna<\/code><\/li>\nsu - anna<\/code><\/li>\nopenssl genrsa -out anna.key 2048<\/code># Generating private key<\/li>\nopenssl req -new -key anna.key -out anna.csr -subj \"\/CN=anna\/O=k8s\" <\/code># certificate signing request<\/li>\nsudo openssl x509 -req -in anna.csr -CA \/etc\/kubernetes\/pki\/ca.crt -CAkey \/etc\/kubernetes\/pki\/ca.key -CAcreateserial -out anna.crt -days 1800<\/code> # kubernetes CA need to sign the signing request<\/li>\n<\/ul>\n[root@k8s cka]# useradd -m -G wheel -s \/bin\/bash anna\r\n\r\n[root@k8s cka]# passwd anna\r\n\r\n[root@k8s cka]# su - anna\r\n\r\n[anna@k8s ~]$ openssl genrsa -out anna.key 2048\r\nGenerating RSA private key, 2048 bit long modulus (2 primes)\r\n......................+++++\r\n...........+++++\r\ne is 65537 (0x010001)\r\n\r\n[anna@k8s ~]$ openssl req -new -key anna.key -out anna.csr -subj \"\/CN=anna\/O=k8s\"\r\n\r\n[anna@k8s ~]$ sudo openssl x509 -req -in anna.csr -CA \/root\/.minikube\/ca.crt -CAkey \/root\/.minikube\/ca.key -CAcreateserial -out anna.crt -days 1800\r\nSignature ok\r\nsubject=CN = anna, O = k8s\r\nGetting CA Private Key\r\n[anna@k8s ~]$ ll\r\nrazem 12\r\n-rw-r--r-- 1 root root 1005 02-13 02:48 anna.crt\r\n-rw-rw-r-- 1 anna anna 903 02-13 02:41 anna.csr\r\n-rw------- 1 anna anna 1675 02-13 02:37 anna.key\r\n\r\n<\/pre>\n
\n
\n
mkdir \/home\/anna\/.kube<\/code><\/li>\nsudo cp -i \/etc\/kubernetes\/admin.conf \/home\/anna\/.kube\/config<\/code><\/li>\nsudo chown -R anna:anna \/home\/anna\/.kube<\/code><\/li>\nkubectl config set-credentials anna --client-certificate=\/home\/anna\/anna.crt --client-key=\/home\/anna\/anna.key<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n[anna@k8s ~]$ mkdir \/home\/anna\/.kube\r\n\r\n[anna@k8s ~]$ sudo cp -i \/root\/.kube\/config \/home\/anna\/.kube\/config\r\n\r\n[anna@k8s ~]$ cat \/home\/anna\/.kube\/config\r\ncat: \/home\/anna\/.kube\/config: Brak dost\u0119pu\r\n\r\n[anna@k8s ~]$ sudo chown -R anna:anna \/home\/anna\/.kube\r\n\r\n[anna@k8s ~]$ cat \/home\/anna\/.kube\/config\r\napiVersion: v1\r\nclusters:\r\n- cluster:\r\n certificate-authority: \/root\/.minikube\/ca.crt\r\n extensions:\r\n - extension:\r\n last-update: Thu, 01 Feb 2024 15:18:33 EST\r\n provider: minikube.sigs.k8s.io\r\n version: v1.32.0\r\n name: cluster_info\r\n server: https:\/\/172.30.9.24:8443\r\n name: minikube\r\ncontexts:\r\n- context:\r\n cluster: minikube\r\n extensions:\r\n - extension:\r\n last-update: Thu, 01 Feb 2024 15:18:33 EST\r\n provider: minikube.sigs.k8s.io\r\n version: v1.32.0\r\n name: context_info\r\n namespace: default\r\n user: minikube\r\n name: minikube\r\ncurrent-context: minikube\r\nkind: Config\r\npreferences: {}\r\nusers:\r\n- name: minikube\r\n user:\r\n client-certificate: \/root\/.minikube\/profiles\/minikube\/client.crt\r\n client-key: \/root\/.minikube\/profiles\/minikube\/client.key\r\n\r\n[anna@k8s ~]$ kubectl config set-credentials anna --client-certificate=\/home\/anna\/anna.crt --client-key=\/home\/anna\/anna.key\r\nUser \"anna\" set.\r\n<\/pre>\n\n
\n
kubectl config set-context anna-context --cluster=kubernetes \\<\/code>
\n--namespace=staff --user=anna<\/code><\/li>\nkubectl config use-context anna-context <\/code># will set context permanently<\/li>\nkubectl get pods <\/code># will fail as no RBAC has been configured yet<\/li>\nkubectl config get-contexts<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n[anna@k8s ~]$ kubectl config set-context anna-context --cluster=kubernetes \\\r\n> --namespace=staff --user=anna\r\nContext \"anna-context\" created.\r\n\r\n[anna@k8s ~]$ kubectl config use-context anna-context\r\nSwitched to context \"anna-context\".\r\n\r\n[anna@k8s ~]$ kubectl get pods\r\nE0213 09:10:46.316963 3073343 memcache.go:265] couldn't get current server API group list: Get \"http:\/\/localhost:8080\/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\r\nE0213 09:10:46.317618 3073343 memcache.go:265] couldn't get current server API group list: Get \"http:\/\/localhost:8080\/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\r\nE0213 09:10:46.320139 3073343 memcache.go:265] couldn't get current server API group list: Get \"http:\/\/localhost:8080\/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\r\nE0213 09:10:46.320876 3073343 memcache.go:265] couldn't get current server API group list: Get \"http:\/\/localhost:8080\/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\r\nE0213 09:10:46.322639 3073343 memcache.go:265] couldn't get current server API group list: Get \"http:\/\/localhost:8080\/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\r\nThe connection to the server localhost:8080 was refused - did you specify the right host or port?\r\n\r\n[anna@k8s ~]$ kubectl config get-contexts\r\nCURRENT NAME CLUSTER AUTHINFO NAMESPACE\r\n* anna-context kubernetes anna staff\r\n minikube minikube minikube default\r\n<\/pre>\n
\n
\n
su - student<\/code><\/li>\nvim staff-role.yaml<\/code><\/li>\nkubectl apply -f staff-role.yaml<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n
\n
vim rolebind.yaml<\/code><\/li>\nkubectl apply -f rolebind.yaml<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n
\n
su - anna; kubectl config view<\/code><\/li>\nkubectl create deployment nginx --image=nginx<\/code><\/li>\nkubectl get pods<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n[anna@k8s ~]$ su -\r\nHas\u0142o:\r\n[root@k8s ~]# cd cka\r\n\r\n[root@k8s cka]# cat staff-role.yaml\r\nkind: Role\r\napiVersion: rbac.authorization.k8s.io\/v1\r\nmetadata:\r\n namespace: staff\r\n name: staff\r\nrules:\r\n- apiGroups: [\"\", \"extensions\", \"apps\"]\r\n resources: [\"deployments\", \"replicasets\", \"pods\"]\r\n verbs: [\"list\", \"get\", \"watch\", \"create\", \"update\", \"patch\", \"delete\"]\r\n\r\n[root@k8s cka]# kubectl apply -f staff-role.yaml\r\nrole.rbac.authorization.k8s.io\/staff created\r\n\r\n[root@k8s cka]# cat rolebind.yaml\r\nkind: RoleBinding\r\napiVersion: rbac.authorization.k8s.io\/v1\r\nmetadata:\r\n name: staff-role-binding\r\n namespace: staff\r\nsubjects:\r\n- kind: User\r\n name: anna\r\n apiGroup: \"\"\r\nroleRef:\r\n kind: Role\r\n name: staff\r\n apiGroup: \"\"\r\n[root@k8s cka]# kubectl apply -f rolebind.yaml\r\n\r\nrolebinding.rbac.authorization.k8s.io\/staff-role-binding created\r\n\r\n[root@k8s cka]# su - anna\r\n\r\n[anna@k8s ~]$ kubectl config view\r\napiVersion: v1\r\nclusters:\r\n- cluster:\r\n certificate-authority: \/root\/.minikube\/ca.crt\r\n extensions:\r\n - extension:\r\n last-update: Thu, 01 Feb 2024 15:18:33 EST\r\n provider: minikube.sigs.k8s.io\r\n version: v1.32.0\r\n name: cluster_info\r\n server: https:\/\/172.30.9.24:8443\r\n name: minikube\r\ncontexts:\r\n- context:\r\n cluster: kubernetes\r\n namespace: staff\r\n user: anna\r\n name: anna-context\r\n- context:\r\n cluster: minikube\r\n extensions:\r\n - extension:\r\n last-update: Thu, 01 Feb 2024 15:18:33 EST\r\n provider: minikube.sigs.k8s.io\r\n version: v1.32.0\r\n name: context_info\r\n namespace: default\r\n user: minikube\r\n name: minikube\r\ncurrent-context: anna-context\r\nkind: Config\r\npreferences: {}\r\nusers:\r\n- name: anna\r\n user:\r\n client-certificate: \/home\/anna\/anna.crt\r\n client-key: \/home\/anna\/anna.key\r\n- name: minikube\r\n user:\r\n client-certificate: \/root\/.minikube\/profiles\/minikube\/client.crt\r\n client-key: \/root\/.minikube\/profiles\/minikube\/client.key\r\n\r\n[anna@k8s ~]$ kubectl create deployment anna-nginx --image=nginx\r\nerror: failed to create deployment: Post \"http:\/\/localhost:8080\/apis\/apps\/v1\/namespaces\/staff\/deployments?fieldManager=kubectl-create&fieldValidation=Strict\": dial tcp [::1]:8080: connect: connection refused\r\n\r\n[anna@k8s ~]$ kubectl get pods\r\nE0213 09:19:59.430111 3075089 memcache.go:265] couldn't get current server API group list: Get \"http:\/\/localhost:8080\/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\r\nE0213 09:19:59.430951 3075089 memcache.go:265] couldn't get current server API group list: Get \"http:\/\/localhost:8080\/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\r\nE0213 09:19:59.432926 3075089 memcache.go:265] couldn't get current server API group list: Get \"http:\/\/localhost:8080\/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\r\nE0213 09:19:59.433568 3075089 memcache.go:265] couldn't get current server API group list: Get \"http:\/\/localhost:8080\/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\r\nE0213 09:19:59.435507 3075089 memcache.go:265] couldn't get current server API group list: Get \"http:\/\/localhost:8080\/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\r\nThe connection to the server localhost:8080 was refused - did you specify the right host or port?\r\n[anna@k8s ~]$ mc\r\n\r\n[anna@k8s .kube]$ ll\r\nrazem 4\r\n-rw------- 1 anna anna 1002 02-13 09:10 config\r\n[anna@k8s .kube]$ cd ..\r\n[anna@k8s ~]$ ll\r\nrazem 12\r\n-rw-r--r-- 1 root root 1005 02-13 08:49 anna.crt\r\n-rw-rw-r-- 1 anna anna 903 02-13 02:41 anna.csr\r\n-rw------- 1 anna anna 1675 02-13 02:37 anna.key\r\n[anna@k8s ~]$ pwd\r\n\/home\/anna\r\n<\/pre>\n\n
\n
su - student<\/code><\/li>\nvim students-role.yaml<\/code><\/li>\nvim rolebindstudents.yaml<\/code><\/li>\nkubectl apply -f students-role.yaml<\/code><\/li>\nkubectl apply -f rolebindstudents.yaml<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n[anna@k8s ~]$ sudo -i\r\n[root@k8s ~]# mc\r\n\r\n[root@k8s ~]#\r\n[root@k8s ~]# cd cka\r\n[root@k8s cka]# cat students-role.yaml\r\nkind: Role\r\napiVersion: rbac.authorization.k8s.io\/v1\r\nmetadata:\r\n namespace: default\r\n name: students\r\nrules:\r\n- apiGroups: [\"\", \"extensions\", \"apps\"]\r\n resources: [\"deployments\", \"replicasets\", \"pods\"]\r\n verbs: [\"list\", \"get\", \"watch\"]\r\n\r\n[root@k8s cka]# cat rolebindstudent.yaml\r\ncat: rolebindstudent.yaml: Nie ma takiego pliku ani katalogu\r\n[root@k8s cka]# cat rolebindstudents.yaml\r\nkind: RoleBinding\r\napiVersion: rbac.authorization.k8s.io\/v1\r\nmetadata:\r\n name: students-role-binding\r\n namespace: default\r\nsubjects:\r\n- kind: User\r\n name: anna\r\n apiGroup: \"\"\r\nroleRef:\r\n kind: Role\r\n name: students\r\n apiGroup: \"\"\r\n[root@k8s cka]# kubectl apply -f students-role.yaml\r\nrole.rbac.authorization.k8s.io\/students created\r\n[root@k8s cka]# kubectl apply -f rolebindstudents.yaml\r\nrolebinding.rbac.authorization.k8s.io\/students-role-binding created\r\n[root@k8s cka]#\r\n[root@k8s cka]# su - anna\r\n[anna@k8s ~]$ kubectl get pods - default\r\n<\/pre>\n
\n
[root@k8s cka]# kubectl create role -h\r\nCreate a role with single rule.\r\n\r\nExamples:\r\n # Create a role named \"pod-reader\" that allows user to perform \"get\", \"watch\" and \"list\" on pods\r\n kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods\r\n\r\n # Create a role named \"pod-reader\" with ResourceName specified\r\n kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod\r\n\r\n # Create a role named \"foo\" with API Group specified\r\n kubectl create role foo --verb=get,list,watch --resource=rs.apps\r\n\r\n # Create a role named \"foo\" with SubResource specified\r\n kubectl create role foo --verb=get,list,watch --resource=pods,pods\/status\r\n\r\nOptions:\r\n --allow-missing-template-keys=true:\r\n If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to\r\n golang and jsonpath output formats.\r\n\r\n --dry-run='none':\r\n Must be \"none\", \"server\", or \"client\". If client strategy, only print the object that would be sent, without\r\n sending it. If server strategy, submit server-side request without persisting the resource.\r\n\r\n --field-manager='kubectl-create':\r\n Name of the manager used to track field ownership.\r\n\r\n -o, --output='':\r\n Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath,\r\n jsonpath-as-json, jsonpath-file).\r\n\r\n --resource=[]:\r\n Resource that the rule applies to\r\n\r\n --resource-name=[]:\r\n Resource in the white list that the rule applies to, repeat this flag for multiple items\r\n\r\n --save-config=false:\r\n If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will\r\n be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.\r\n\r\n --show-managed-fields=false:\r\n If true, keep the managedFields when printing objects in JSON or YAML format.\r\n\r\n --template='':\r\n Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format\r\n is golang templates [http:\/\/golang.org\/pkg\/text\/template\/#pkg-overview].\r\n\r\n --validate='strict':\r\n Must be one of: strict (or true), warn, ignore (or false). \"true\" or \"strict\" will use a schema to validate\r\n the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation\r\n is enabled on the api-server, but will fall back to less reliable client-side validation if not. \"warn\" will\r\n warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled\r\n on the API server, and behave as \"ignore\" otherwise. \"false\" or \"ignore\" will not perform any schema\r\n validation, silently dropping any unknown or duplicate fields.\r\n\r\n --verb=[]:\r\n Verb that applies to the resources contained in the rule\r\n\r\nUsage:\r\n kubectl create role NAME --verb=verb --resource=resource.group\/subresource [--resource-name=resourcename]\r\n[--dry-run=server|client|none] [options]\r\n\r\nUse \"kubectl options\" for a list of global command-line options (applies to all commands).\r\n[root@k8s cka]#\r\n[root@k8s cka]#\r\n[root@k8s cka]#\r\n[root@k8s cka]#\r\n[root@k8s cka]#\r\n[root@k8s cka]# kubectl create role defaultpodviewer --verb=get --verb=list --verb=watch --resource=pods -n default\r\nrole.rbac.authorization.k8s.io\/defaultpodviewer created\r\n[root@k8s cka]# kubectl clusterrolebindings\r\nerror: unknown command \"clusterrolebindings\" for \"kubectl\"\r\n[root@k8s cka]# kubectl get clusterrolebindings\r\nNAME ROLE AGE\r\ncluster-admin ClusterRole\/cluster-admin 13d\r\ningress-nginx ClusterRole\/ingress-nginx 11d\r\nkubeadm:get-nodes ClusterRole\/kubeadm:get-nodes 13d\r\nkubeadm:kubelet-bootstrap ClusterRole\/system:node-bootstrapper 13d\r\nkubeadm:node-autoapprove-bootstrap ClusterRole\/system:certificates.k8s.io:certificatesigningrequests:nodeclient 13d\r\nkubeadm:node-autoapprove-certificate-rotation ClusterRole\/system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 13d\r\nkubeadm:node-proxier ClusterRole\/system:node-proxier 13d\r\nkubernetes-dashboard ClusterRole\/cluster-admin 11d\r\nmetrics-server:system:auth-delegator ClusterRole\/system:auth-delegator 9d\r\nminikube-rbac ClusterRole\/cluster-admin 13d\r\nstorage-provisioner ClusterRole\/system:persistent-volume-provisioner 13d\r\nsystem:basic-user ClusterRole\/system:basic-user 13d\r\nsystem:controller:attachdetach-controller ClusterRole\/system:controller:attachdetach-controller 13d\r\nsystem:controller:certificate-controller ClusterRole\/system:controller:certificate-controller 13d\r\nsystem:controller:clusterrole-aggregation-controller ClusterRole\/system:controller:clusterrole-aggregation-controller 13d\r\nsystem:controller:cronjob-controller ClusterRole\/system:controller:cronjob-controller 13d\r\nsystem:controller:daemon-set-controller ClusterRole\/system:controller:daemon-set-controller 13d\r\nsystem:controller:deployment-controller ClusterRole\/system:controller:deployment-controller 13d\r\nsystem:controller:disruption-controller ClusterRole\/system:controller:disruption-controller 13d\r\nsystem:controller:endpoint-controller ClusterRole\/system:controller:endpoint-controller 13d\r\nsystem:controller:endpointslice-controller ClusterRole\/system:controller:endpointslice-controller 13d\r\nsystem:controller:endpointslicemirroring-controller ClusterRole\/system:controller:endpointslicemirroring-controller 13d\r\nsystem:controller:ephemeral-volume-controller ClusterRole\/system:controller:ephemeral-volume-controller 13d\r\nsystem:controller:expand-controller ClusterRole\/system:controller:expand-controller 13d\r\nsystem:controller:generic-garbage-collector ClusterRole\/system:controller:generic-garbage-collector 13d\r\nsystem:controller:horizontal-pod-autoscaler ClusterRole\/system:controller:horizontal-pod-autoscaler 13d\r\nsystem:controller:job-controller ClusterRole\/system:controller:job-controller 13d\r\nsystem:controller:namespace-controller ClusterRole\/system:controller:namespace-controller 13d\r\nsystem:controller:node-controller ClusterRole\/system:controller:node-controller 13d\r\nsystem:controller:persistent-volume-binder ClusterRole\/system:controller:persistent-volume-binder 13d\r\nsystem:controller:pod-garbage-collector ClusterRole\/system:controller:pod-garbage-collector 13d\r\nsystem:controller:pv-protection-controller ClusterRole\/system:controller:pv-protection-controller 13d\r\nsystem:controller:pvc-protection-controller ClusterRole\/system:controller:pvc-protection-controller 13d\r\nsystem:controller:replicaset-controller ClusterRole\/system:controller:replicaset-controller 13d\r\nsystem:controller:replication-controller ClusterRole\/system:controller:replication-controller 13d\r\nsystem:controller:resourcequota-controller ClusterRole\/system:controller:resourcequota-controller 13d\r\nsystem:controller:root-ca-cert-publisher ClusterRole\/system:controller:root-ca-cert-publisher 13d\r\nsystem:controller:route-controller ClusterRole\/system:controller:route-controller 13d\r\nsystem:controller:service-account-controller ClusterRole\/system:controller:service-account-controller 13d\r\nsystem:controller:service-controller ClusterRole\/system:controller:service-controller 13d\r\nsystem:controller:statefulset-controller ClusterRole\/system:controller:statefulset-controller 13d\r\nsystem:controller:ttl-after-finished-controller ClusterRole\/system:controller:ttl-after-finished-controller 13d\r\nsystem:controller:ttl-controller ClusterRole\/system:controller:ttl-controller 13d\r\nsystem:coredns ClusterRole\/system:coredns 13d\r\nsystem:discovery ClusterRole\/system:discovery 13d\r\nsystem:kube-controller-manager ClusterRole\/system:kube-controller-manager 13d\r\nsystem:kube-dns ClusterRole\/system:kube-dns 13d\r\nsystem:kube-scheduler ClusterRole\/system:kube-scheduler 13d\r\nsystem:metrics-server ClusterRole\/system:metrics-server 9d\r\nsystem:monitoring ClusterRole\/system:monitoring 13d\r\nsystem:node ClusterRole\/system:node 13d\r\nsystem:node-proxier ClusterRole\/system:node-proxier 13d\r\nsystem:public-info-viewer ClusterRole\/system:public-info-viewer 13d\r\nsystem:service-account-issuer-discovery ClusterRole\/system:service-account-issuer-discovery 13d\r\nsystem:volume-scheduler ClusterRole\/system:volume-scheduler 13d\r\n[root@k8s cka]#\r\n[root@k8s cka]# kubectl get pods --as system:basic-user\r\nError from server (Forbidden): pods is forbidden: User \"system:basic-user\" cannot list resource \"pods\" in API group \"\" in the namespace \"default\"\r\n[root@k8s cka]# kubectl create rolebinding defaultpodviewer --role=defaultpodviewer --user=system:basic-user -n default\r\nrolebinding.rbac.authorization.k8s.io\/defaultpodviewer created\r\n[root@k8s cka]#\r\n[root@k8s cka]# kubectl get pods --as system:basic-user\r\nNAME READY STATUS RESTARTS AGE\r\nbusybox-6fc6c44c5b-xmmxd 1\/1 Running 146 (32m ago) 6d9h\r\ndeploydaemon-zzllp 1\/1 Running 0 11d\r\nfirstnginx-d8679d567-249g9 1\/1 Running 0 13d\r\nfirstnginx-d8679d567-66c4s 1\/1 Running 0 13d\r\nfirstnginx-d8679d567-72qbd 1\/1 Running 0 13d\r\nfirstnginx-d8679d567-rhhlz 1\/1 Running 0 12d\r\nlab4-pod 1\/1 Running 0 11d\r\nmorevol 2\/2 Running 554 (7m19s ago) 11d\r\nmydaemon-z7g9c 1\/1 Running 0 6d7h\r\nmypod 1\/1 Running 21 (32m ago) 27h\r\nmysapod 1\/1 Running 21 (7m6s ago) 27h\r\nmystaticpod-k8s.netico.pl 1\/1 Running 0 9d\r\nnginx-taint-68bd5db674-7skqs 1\/1 Running 0 7d10h\r\nnginx-taint-68bd5db674-vjq89 1\/1 Running 0 7d10h\r\nnginx-taint-68bd5db674-vqz2z 1\/1 Running 0 7d10h\r\nnginxsvc-5f8b7d4f4d-dtrs7 1\/1 Running 0 11d\r\npv-pod 1\/1 Running 0 11d\r\nsecurity-context-demo 1\/1 Running 117 (9m13s ago) 5d3h\r\nsleepybox1 1\/1 Running 143 (8m36s ago) 6d5h\r\nsleepybox2 1\/1 Running 143 (8m34s ago) 6d5h\r\nwebserver-76d44586d-8gqhf 1\/1 Running 0 11d\r\nwebshop-7f9fd49d4c-92nj2 1\/1 Running 0 11d\r\nwebshop-7f9fd49d4c-kqllw 1\/1 Running 0 11d\r\nwebshop-7f9fd49d4c-x2czc 1\/1 Running 0 11d\r\n<\/pre>\n