Using Kubernetes RBAC for Creation of New User

The user that kubeadm creates when building a cluster has full access, allowing the creation and deletion of anything within the cluster.

In this post we will create a new user, salterje, which only has the ability to gather information about running Pods running within the default namespace of the cluster.

In order to do this a private key is generated which is used to generate a certificate signing request using the cluster Certificate Authority. This allows a suitable certificate to be generated for our new user.

We must then modify the default kubeconfig file to add the user's credentials along with a suitable context that will be used in place of the default kubernetes admin context.

The final step is the creation of a suitable role that only allows the viewing of Pods and for this we will create a role binding object linking the role to the newly created salterje user.

Creation of New User

The user that is to be created must first have a private key generated.

Creation of Private Key for User

openssl genrsa -out salterje.key 2048

Create a Certificate Signing Request

The next stage is to create a Certificate Signing Request using the Kubernetes CA and the newly generated private key.

openssl req -new -key salterje.key -out salterje.csr -subj "/CN=salterje/O=projects"

Use the Cluster CA and CA.key to Sign CSR

The generated CSR can now be signed by the cluster CA certificate and CA.key

Add User to Kubeconfig

The signed certificate and private key for the new user can now be added to the kubeconfig file allowing access to the cluster. For this a new context and user will be added.

The easiest way of doing this is to use kubectl to modify the kubeconfig file.

The initial kubeconfig file that has been created by kubeadm has a kubenetes-admin user with full access.

We will initially add the credentials for the new salterje user, making use of the signed certificate and private key. A cluster entry will also be added as well as a suitable context to link both together.

kubectl config set-credentials salterje --client-certificate=salterje.crt 
--client-key=salterje.key --embed-certs 
kubectl config set-cluster salterje-cluster --server=https://k8s-master 
--certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs
kubectl config set-context salterje-login --user=salterje 
--cluster=salterje-cluster

These three commands will add a new user, cluster and context to the default kubeconfig file within the cluster

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://k8s-master:6443
  name: kubernetes
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://k8s-master:6443
  name: salterje-cluster
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
- context:
    cluster: salterje-cluster
    user: salterje
  name: salterje-login
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
- name: salterje
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

Once these have have been set we can make use of the new salterje-login context

kubectl config use-context salterje-login

To prove the functionality we try getting the running Pods within the cluster

This proves the new user doesn't have any rights to access anything within the cluster at the moment.

The next stage is to create a role and rolebinding object to link the newly created user.

Create a Role

We create a role that allows the listing and watching of Pods but doesn't allow the creation of them (or viewing any other objects).

kubectl create role pod-reader --verb=get --verb=list --verb=watch
--resource=pods --dry-run=client -o yaml > pod-reader.yaml

This creates the pod-reader.yaml manifest

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: pod-reader
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
  

We also need to create a suitable role-binding to link the role to our new user. This generates the pod-reader-binding.yaml manifest.

kubectl create rolebinding pod-reader-binding --user=salterje --role=pod-reader
--dry-run=client -o yaml > pod-reader-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: null
  name: pod-reader-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pod-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: salterje

In essence the role-binding object links the user to the role that has been created.

In order to create the objects the manifests are run in the normal way, but we must first go back to the kubernetes-admin context to run the commands.

kubectl config use-context kubernetes-admin@kubernetes
kubectl create -f pod-reader.yaml
kubectl create -f pod-reader-binding.yaml

Now going back to the salterje-login context it can be proven that we are able to view Pods but not view services or do anything else within the cluster.

kubectl config use-context salterje-login

Conclusions

The use of RBAC within Kubernetes allows the linking of users with roles within the cluster. This allows minimum privalege levels for a user and the associated role.

However Kubernetes doesn't have a concept of a user object and relies on the use of certicates and keys that are sent with the api call. This lab has shown how to create the necessary key and certificate as well as the modification of the kubeconfig file to create a new context to use them.

Once the incoming request has been authenicated the request is authorized against a role which must be linked to a user with a suitable role-binding object.