Skip to main content
RBAC Authorization
Last update:

RBAC Authorization

RBAC Authorization is one way to assign roles to users in a Kubernetes cluster.

Allocate user roles

  1. Enable Service Account Token, as without it, any role changes will require a new kubeconfig download.

  2. Assign roles.
    An example manifest that creates two namespaces and two users, each of whom will only be able to manage pods in their namespace:

    apiVersion: v1
    kind: Namespace
    metadata:
        name: test-one
    ---
    apiVersion: v1
    kind: Namespace
    metadata:
        name: test-two
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
        name: read-pods-one
        namespace: test-one
    subjects:
    - kind: ServiceAccount
        name: test-sa-one
        apiGroup: ""
    roleRef:
        kind: Role
        name: pod-reader-one
        apiGroup: rbac.authorization.k8s.io
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
        name: read-pods-two
        namespace: test-two
    subjects:
    - kind: ServiceAccount
        name: test-sa-two
        apiGroup: ""
    roleRef:
        kind: Role
        name: pod-reader-two
        apiGroup: rbac.authorization.k8s.io
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
        namespace: test-one
        name: pod-reader-one
    rules:
    - apiGroups: [""] # "" indicates the core API group
        resources: ["pods"]
        verbs: ["get", "watch", "list"]
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
        namespace: test-two
        name: pod-reader-two
    rules:
    - apiGroups: [""] # "" indicates the core API group
        resources: ["pods"]
        verbs: ["get", "watch", "list"]
    ---
    apiVersion: v1
    kind: ServiceAccount
    metadata:
        namespace: test-one
        name: test-sa-one
    ---
    apiVersion: v1
    kind: ServiceAccount
    metadata:
        namespace: test-two
        name: test-sa-two

  3. Run the manifest.

  4. Create tokens:

    kubectl get secret $(kubectl get serviceaccount test-sa-one -o jsonpath='{.secrets[0].name}' --namespace test-one) -o jsonpath='{.data.token}' --namespace test-one | base64 -d
    <long and secure token for test-sa-one>

    kubectl get secret $(kubectl get serviceaccount test-sa-two -o jsonpath='{.secrets[0].name}' --namespace test-two) -o jsonpath='{.data.token}' --namespace test-two | base64 -d
    <long and secure token for test-sa-two>

  5. Manually add tokens to users in the kubeconfig.yaml file for passwordless authorization:

    users:
    ...
    - name: test-sa-one
      user:
        token: long and secure token test-sa-one
    - name: test-sa-two
      user:
        token: long and secure token test-sa-two
    ... ...

  6. Check the operation of the role assignment:

    kubectl config set-context --current --user=test-sa-two
    Context "admin@kubernetes" modified.

    kubectl get pods --namespace test-two
    No resources found in test-two namespace.

    kubectl get pods --namespace test-one
    Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:test-two:test-sa-two" cannot list resource "pods" in API group "" in the namespace "test-one"
    ________

    kubectl config set-context --current --user=test-sa-one
    Context "admin@kubernetes" modified.

    kubectl get pods --namespace test-two
    Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:test-one:test-sa-one" cannot list resource "pods" in API group "" in the namespace "test-two"

    kubectl get pods --namespace test-one
    No resources found in test-one namespace.

    The test-sa-two user now has access to pods in the test-two namespace and no access in the test-one namespace. User test-sa-one is the opposite.