Question
Generate a new certificates for user ellasmith and setup a context for her.
Create a ClusterRole with the name service-view to the API resources services with the operations get and list.
Create the RoleBinding named ellasmith-service-view in the development namespace. Map the user ellasmith to the ClusterRole service-view,
Create a ClusterRole with the name combined. Aggregate cluster roles based on the matching label key-value pair rbac.cka.cncf.com/aggregate: "true".
Render the selected rules of the ClusterRole combined. How many rules do you see?
Create a ClusterRole with the name deployment-modify to the API resources deployments with the operations create, delete, patch, update. Assign the label key-value pair rbac.cka.cncf.com/aggregate: "true".
Render the selected rules of the ClusterRole combined. How many rules do you see?
Run a command to figure out if the user ellasmith can list Services in the namespace development. Write the output of the command to the file list-services-ellasmith.txt. The output is either "no" or "yes."
Run a command to figure out if the user ellasmith can watch Deployments in the namespace production. Write the output of the command to the file watch-deployments-ellasmith.txt. The output is either "no" or "yes."
Answer
Generate a new certificates for user ellasmith and setup a context for her.
mkdir cert && cd cert
penssl genrsa -out ellasmith.key 2048
openssl req -new -key ellasmith.key -out ellasmith.csr -subj "/CN=ellasmith/O=cka-study-guide"
openssl x509 -req -in ellasmith.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ellasmith.crt -days 364
kubectl config set-credentials ellasmith --client-certificate=ellasmith.crt --client-key=ellasmith.key
kubectl config set-context ellasmith-context --cluster=kubernetes --user=ellasmith
Create namsspace development:
kubectl create namespace development
Create a ClusterRole imperatively:
kubectl create clusterrole service-view --resource=services --verb=get,list
Create the RoleBinding:
kubectl create rolebinding ellasmith-service-view --user=ellasmith --clusterrole=service-view -n development
Create aggregating ClusterRole:
kubectl create clusterrole combined --aggregation-rule="rbac.cka.cncf.com/aggregate=true"
Verify that the ClusterRole has been created properly and render it:
kubectl get clusterrole combined
kubectl create clusterrolebinding ellasmith-service-view-crb --user=ellasmith --clusterrole=combined
kubectl describe clusterrole combined
it shows an empty list as no ClusterRoles were selected by label selection.kubectl create clusterrole deployment-modify --verb=create,delete,patch,update --resource=deployments --dry-run=client -o yaml
Adjust manifest to look like this:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.cka.cncf.com/aggregate: "true"
name: deployment-modify
rules:
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- delete
- patch
- update
Create the ClusterRole from the YAML file:
kubectl apply -f cr.yaml
Verify:
kubectl get clusterrole deployment-modify
Rendering the rules for the Clusterrole combined lists the rules defined by the ClusterRole deployment-modify:
kubectl describe clusterrole combined
Listing Services is allowed for the user ellasmith in the namespace development. This is taken care by RoleBinding ellasmith-service-view:
kubectl auth can-i list services --as=ellasmith --namespace=development
kubectl auth can-i list services --as=ellasmith --namespace=development > list-services-ellasmith.txt
Watching Deployments is not allowed for the user ellasmith in the namespace production. The ClusterRole named deployment-modify only allows the verbs create, delete, patch, update:
kubectl auth can-i watch deployments --as=ellasmith --namespace=production
kubectl auth can-i watch deployments --as=ellasmith --namespace=production > watch-deployments-ellasmith.txt