Skip to content

Commit

Permalink
update-grid-view
Browse files Browse the repository at this point in the history
  • Loading branch information
@sangam14
sangam14 committed Dec 1, 2023
1 parent ebed10a commit 7320a9e
Show file tree
Hide file tree
Showing 3 changed files with 382 additions and 15 deletions.
14 changes: 7 additions & 7 deletions content/en/docker/_overview.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ aliases:
### Table of Content
| Title | Link |
| --------- | ------- |
|1.Pre-requisit for this lab | [Lab](https://kubedaily.com/docs/pre-requist/) |
|2.Docker Hello World Example | [Lab](https://kubedaily.com/docs/hello-world/) |
|3.Docker Image Filtering | | [Lab](https://kubedaily.com/docs/docker-images-filter/) |
|4.Images and Container As Tar file | [Lab](https://kubedaily.com/docs/tarfile/) |
|5.Push first Nginx Web app To DockerHub | [Lab](https://kubedaily.com/docs/push-dockerhub-webapp/) |
|6.Build a Base Image from Scratch | [Lab](https://kubedaily.com/docs/scratch-image/) |
|7.Dockerfile Lab - ADD instruction | [Lab](https://kubedaily.com/docs/add-instruction/) |
|1.Pre-requisit for this lab | [Lab](https://kubedaily.com/docker/pre-requisit-for-this-lab/) |
|2.Docker Hello World Example | [Lab](https://kubedaily.com/docker/docker-hello-world-example/) |
|3.Docker Image Filtering | | [Lab](https://kubedaily.com/docker/docker-image-filtering/) |
|4.Images and Container As Tar file | [Lab](https://kubedaily.com/docker/images-and-container-as-tar-file/) |
|5.Push first Nginx Web app To DockerHub | [Lab](https://kubedaily.com/docker/push-first-nginx-web-app-to-dockerhub/) |
|6.Build a Base Image from Scratch | [Lab](https://kubedaily.com/docker/build-a-base-image-from-scratch/) |
|7.Dockerfile Lab - ADD instruction | [Lab](https://kubedaily.com/docker/dockerfile-lab-add-instruction/) |
|8.Dockerfile Lab - COPY instruction | [Lab](https://kubedaily.com/docs/copy-instruction/) |
|9.Dockerfile Lab - CMD instruction | [Lab](https://kubedaily.com/docs/cmd-instruction/) |
|10.Dockerfile Lab - Entrypoint instruction | [Lab](https://kubedaily.com/docs/entrypoint-instruction/) |
Expand Down
330 changes: 330 additions & 0 deletions content/en/k8s/c11.RBAC.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,330 @@
---
title: "RBAC "
description: " kubernetes Config "
slug: "RBAC"
---

#### Role Based Access Control (RBAC)

Role-Based Access Control (RBAC) in Kubernetes is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise. In the context of Kubernetes, RBAC allows you to control who has access to the Kubernetes API and what they can do with those resources

- Rules: A rule is a set of operations (verbs) that can be carried out on a group of resources which belong to different API Groups.

##### kubectl explain role.rules

```
kubectl explain role.rules
GROUP: rbac.authorization.k8s.io
KIND: Role
VERSION: v1

FIELD: rules <[]PolicyRule>

DESCRIPTION:
Rules holds all the PolicyRules for this Role
PolicyRule holds information that describes a policy rule, but does not
contain information about who the rule applies to or which namespace the
rule applies to.

FIELDS:
apiGroups <[]string>
APIGroups is the name of the APIGroup that contains the resources. If
multiple API groups are specified, any action requested against one of the
enumerated resources in any API group will be allowed. "" represents the
core API group and "*" represents all API groups.

nonResourceURLs <[]string>
NonResourceURLs is a set of partial urls that a user should have access to.
*s are allowed, but only as the full, final step in the path Since
non-resource URLs are not namespaced, this field is only applicable for
ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to
API resources (such as "pods" or "secrets") or non-resource URL paths (such
as "/api"), but not both.

resourceNames <[]string>
ResourceNames is an optional white list of names that the rule applies to.
An empty set means that everything is allowed.

resources <[]string>
Resources is a list of resources this rule applies to. '*' represents all
resources.

verbs <[]string> -required-
Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in
this rule. '*' represents all verbs.

```

- Roles and ClusterRoles: Both consist of rules. The difference between a Role and a ClusterRole is the scope: in a Role, the rules are applicable to a single namespace, whereas a ClusterRole is cluster-wide, so the rules are applicable to more than one namespace. ClusterRoles can define rules for cluster-scoped resources (such as nodes) as well. Both Roles and ClusterRoles are mapped as API Resources inside our cluster.


##### kubectl explain role
```
kubernetesdaily.github.io git:(main) ✗ kubectl explain role
GROUP: rbac.authorization.k8s.io
KIND: Role
VERSION: v1

DESCRIPTION:
Role is a namespaced, logical grouping of PolicyRules that can be referenced
as a unit by a RoleBinding.

FIELDS:
apiVersion <string>
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata <ObjectMeta>
Standard object's metadata.

rules <[]PolicyRule>
Rules holds all the PolicyRules for this Role

```

##### kubectl explain clusterroles

```
kubernetesdaily.github.io git:(main) ✗ kubectl explain clusterroles
GROUP: rbac.authorization.k8s.io
KIND: ClusterRole
VERSION: v1
DESCRIPTION:
ClusterRole is a cluster level, logical grouping of PolicyRules that can be
referenced as a unit by a RoleBinding or ClusterRoleBinding.
FIELDS:
aggregationRule <AggregationRule>
AggregationRule is an optional field that describes how to build the Rules
for this ClusterRole. If AggregationRule is set, then the Rules are
controller managed and direct changes to Rules will be stomped by the
controller.
apiVersion <string>
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata <ObjectMeta>
Standard object's metadata.
rules <[]PolicyRule>
Rules holds all the PolicyRules for this ClusterRole
```


- Subjects: These correspond to the entity that attempts an operation in the cluster. There are three types of subjects:

- User Accounts: These are global, and meant for humans or processes living outside the cluster. There is no associated resource API Object in the Kubernetes cluster.

- Service Accounts: This kind of account is namespaced and meant for intra-cluster processes running inside pods, which want to authenticate against the API.

- Groups: This is used for referring to multiple accounts. There are some groups created by default such as cluster-admin (explained in later sections).

- RoleBindings and ClusterRoleBindings: Just as the names imply, these bind subjects to roles (i.e. the operations a given user can perform). As for Roles and ClusterRoles, the difference lies in the scope: a RoleBinding will make the rules effective inside a namespace, whereas a ClusterRoleBinding will make the rules effective in all namespaces.

#### kubectl explain rolebinding

```
✗ kubectl explain rolebindings
GROUP: rbac.authorization.k8s.io
KIND: RoleBinding
VERSION: v1

DESCRIPTION:
RoleBinding references a role, but does not contain it. It can reference a
Role in the same namespace or a ClusterRole in the global namespace. It adds
who information via Subjects and namespace information by which namespace it
exists in. RoleBindings in a given namespace only have effect in that
namespace.

FIELDS:
apiVersion <string>
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata <ObjectMeta>
Standard object's metadata.

roleRef <RoleRef> -required-
RoleRef can reference a Role in the current namespace or a ClusterRole in
the global namespace. If the RoleRef cannot be resolved, the Authorizer must
return an error. This field is immutable.

subjects <[]Subject>
Subjects holds references to the objects the role applies to.

```
#### kubectl explain clusterrolebindings
```
kubectl explain clusterrolebindings
GROUP: rbac.authorization.k8s.io
KIND: ClusterRoleBinding
VERSION: v1

DESCRIPTION:
ClusterRoleBinding references a ClusterRole, but not contain it. It can
reference a ClusterRole in the global namespace, and adds who information
via Subject.

FIELDS:
apiVersion <string>
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata <ObjectMeta>
Standard object's metadata.

roleRef <RoleRef> -required-
RoleRef can only reference a ClusterRole in the global namespace. If the
RoleRef cannot be resolved, the Authorizer must return an error. This field
is immutable.

subjects <[]Subject>
Subjects holds references to the objects the role applies to.

```
With Minikube, you can experiment with RBAC in a local Kubernetes setup. Minikube comes with RBAC enabled by default if you start it with a Kubernetes version that supports RBAC
```
✗ minikube start
😄 minikube v1.30.1 on Darwin 14.1.1 (arm64)
🎉 minikube 1.32.0 is available! Download it: https://github.com/kubernetes/minikube/releases/tag/v1.32.0
💡 To disable this notice, run: 'minikube config set WantUpdateNotification false'

✨ Using the docker driver based on existing profile
👍 Starting control plane node minikube in cluster minikube
🚜 Pulling base image ...
🔄 Restarting existing docker container for "minikube" ...
🐳 Preparing Kubernetes v1.26.3 on Docker 23.0.2 ...
🔗 Configuring Flannel (Container Networking Interface) ...
🌟 Enabled addons:
🔎 Verifying Kubernetes components...
👍 Starting worker node minikube-m02 in cluster minikube
🚜 Pulling base image ...
🔄 Restarting existing docker container for "minikube-m02" ...
🌐 Found network options:
▪ NO_PROXY=192.168.49.2
🐳 Preparing Kubernetes v1.26.3 on Docker 23.0.2 ...
▪ env NO_PROXY=192.168.49.2
🔎 Verifying Kubernetes components...
🏄 Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default
```
#### Create new namespace
Execute the kubectl create command to create the namespace (as the admin user):
```
kubernetesdaily.github.io git:(main) ✗ kubectl create namespace kubedaily
namespace/kubedaily created
```
#### Create the user credentials
genarete the user credentials using openssl command
```
openssl genrsa -out kubedaily.key 2048
Generating RSA private key, 2048 bit long modulus
................................................................+++++
.............................................................................+++++
e is 65537 (0x10001)

```
Create a certificate sign request using openssl command
```
kubernetesdaily.github.io git:(main) ✗ openssl req -new -key kubedaily.key -out kubedaily.csr -subj "/CN=kubedaily/O=sangam"
```
```
➜ .minikube ls
addons ca.pem certs key.pem machine_client.lock proxy-client-ca.crt
ca.crt cache config last_update_check machines proxy-client-ca.key
ca.key cert.pem files logs profiles tunnels.json
```
```
kubernetesdaily.github.io git:(main) ✗ kubectl config set-credentials kubedaily --client-certificate=/.certs/kubedaily.crt --client-key=/.certs/kubedaily.key
User "kubedaily" set.
kubectl config set-context kubedaily-context --cluster=minikube --namespace=kubedaily --user=sangam
```
Now you should get an access denied error when using the kubectl CLI with this configuration file. This is expected as we have not defined any permitted operations for this user.
```
kubectl --context=kubedaily-context get pods
```
#### Create the role for managing deployments
```
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: kubedaily
name: sangam
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]

```
#### Create the role binding
```
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: sangam-binding
namespace: kubedaily
subjects:
- kind: User
name: sangam
apiGroup: ""
roleRef:
kind: Role
name: sangam
apiGroup: ""

```
```
➜ kubernetesdaily.github.io git:(main) ✗ kubectl create -f rolebinding-deployment-manager.yaml
rolebinding.rbac.authorization.k8s.io/sangam-binding created
```
Loading

0 comments on commit 7320a9e

Please sign in to comment.