add

README.md

@@ -117,3 +117,20 @@ Table of content
 
 
 </strong>
+
+
+
+
+### [Learn about Tools in depth](https://kubedaily.com/blog/)
+
+
+[List of tools](https://kubedaily.com/cloudnativetools/)
+
+
+| Title | Link | Tag | Author
+| --------- | ------- | ----- | ----- |
+| [Okteto](https://github.com/okteto/okteto) | [Learn](https://kubedaily.com/blog/okteto/) | Development Tools | Sangam Biradar
+| [cert-manager](https://github.com/cert-manager/cert-manager) | [Learn](https://kubedaily.com/blog/certmanager/) | Networking | Sangam Biradar 
+| [flannel](https://github.com/flannel-io/flannel) | [Learn](https://kubedaily.com/blog/flannel/) | Networking | Sangam Biradar 
+| [werf](https://github.com/werf/werf) | [Learn](https://kubedaily.com/blog/werf/) | Continuous Integration & Delivery | Sangam Biradar 
+| [werf](https://github.com/werf/werf) | [Learn](https://kubedaily.com/blog/werf/) | Continuous Integration & Delivery | Sangam Biradar 

content/en/k8s/admin-service-account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: admin-team-sa
+  namespace: default

content/en/k8s/c11.RBAC.md

@@ -1,6 +1,5 @@
 ---
-title: "RBAC "
-description: " kubernetes Config "
+title: "RBAC"
 slug: "RBAC"
 ---
 
@@ -218,113 +217,207 @@ FIELDS:
 
 ```
 
-With Minikube, you can experiment with RBAC in a local Kubernetes setup. Minikube comes with RBAC enabled by default if you start it with a Kubernetes version that supports RBAC
+
+#### Start Minikube with RBAC enabled:
 
 ```
- ✗ minikube start 
-😄  minikube v1.30.1 on Darwin 14.1.1 (arm64)
-🎉  minikube 1.32.0 is available! Download it: https://github.com/kubernetes/minikube/releases/tag/v1.32.0
-💡  To disable this notice, run: 'minikube config set WantUpdateNotification false'
 
+➜  kubernetesdaily.github.io git:(main) ✗ minikube start --extra-config=apiserver.authorization-mode=RBAC
+
+😄  minikube v1.32.0 on Darwin 14.2 (arm64)
 ✨  Using the docker driver based on existing profile
 👍  Starting control plane node minikube in cluster minikube
 🚜  Pulling base image ...
 🔄  Restarting existing docker container for "minikube" ...
-🐳  Preparing Kubernetes v1.26.3 on Docker 23.0.2 ...
-🔗  Configuring Flannel (Container Networking Interface) ...
-🌟  Enabled addons: 
-🔎  Verifying Kubernetes components...
-👍  Starting worker node minikube-m02 in cluster minikube
-🚜  Pulling base image ...
-🔄  Restarting existing docker container for "minikube-m02" ...
-🌐  Found network options:
-    ▪ NO_PROXY=192.168.49.2
-🐳  Preparing Kubernetes v1.26.3 on Docker 23.0.2 ...
-    ▪ env NO_PROXY=192.168.49.2
+🐳  Preparing Kubernetes v1.28.3 on Docker 24.0.7 ...
+    ▪ apiserver.authorization-mode=RBAC
+🔗  Configuring bridge CNI (Container Networking Interface) ...
 🔎  Verifying Kubernetes components...
+    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
+🌟  Enabled addons: storage-provisioner, default-storageclass
 🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default
-```
 
-#### Create new namespace 
 
-Execute the kubectl create command to create the namespace (as the admin user):
-    
-``` 
-kubernetesdaily.github.io git:(main) ✗ kubectl create namespace kubedaily
-namespace/kubedaily created
+#### create new namespace 
+
+```
+kubernetesdaily.github.io git:(main) ✗ kubectl create namespace rbacminikube
+namespace/rbacminikube created
 ```
 
-#### Create the user credentials
+Define a Role (nginx-role.yaml) that allows managing NGINX resources (pods and services) within the "rbacminikube" namespace:
 
-genarete the user credentials using openssl command 
+### create new namespaces with name developement & qa 
 
 ```
- openssl genrsa -out kubedaily.key 2048
-Generating RSA private key, 2048 bit long modulus
-................................................................+++++
-.............................................................................+++++
-e is 65537 (0x10001)
+➜  k8s git:(main) ✗ kubectl create namespace development
+kubectl create namespace qa
+namespace/development created
+namespace/qa created
+```
+
+## Why Create Service Accounts?
+
+- Process Identity: Service accounts provide an identity for processes that run in pods, enabling Kubernetes to apply RBAC rules to these processes.
+
+- Scoped Access Control: By associating a service account with certain RBAC roles, you can control what actions the processes running under this account can perform in the Kubernetes cluster.
+
+- Security Best Practices: Using distinct service accounts for different teams or applications is a security best practice. It prevents privilege escalation and limits the impact if a service account is compromised.
+
+dev-service-account.yaml
 
 ```
-Create a certificate sign request  using openssl command 
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dev-team-sa
+  namespace: development
 
 ```
- kubernetesdaily.github.io git:(main) ✗ openssl req -new -key kubedaily.key -out kubedaily.csr -subj "/CN=kubedaily/O=sangam"
+
+qa-service-account.yaml
+
 ```
- 
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: qa-team-sa
+  namespace: qa
 ```
-➜  .minikube ls
-addons              ca.pem              certs               key.pem             machine_client.lock proxy-client-ca.crt
-ca.crt              cache               config              last_update_check   machines            proxy-client-ca.key
-ca.key              cert.pem            files               logs                profiles            tunnels.json
-``` 
+
+admin-service-account.yaml
 
 ```
- kubernetesdaily.github.io git:(main) ✗ kubectl config set-credentials kubedaily --client-certificate=/.certs/kubedaily.crt  --client-key=/.certs/kubedaily.key 
-User "kubedaily" set.
-kubectl config set-context kubedaily-context --cluster=minikube --namespace=kubedaily --user=sangam
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: admin-team-sa
+  namespace: default  # or a specific admin namespace
 ```
-Now you should get an access denied error when using the kubectl CLI with this configuration file. This is expected as we have not defined any permitted operations for this user.
+
+### apply all service account 
 
 ```
- kubectl --context=kubedaily-context get pods
+kubectl apply -f dev-service-account.yaml
+kubectl apply -f qa-service-account.yaml
+kubectl apply -f admin-service-account.yaml
 ```
 
-####  Create the role for managing deployments
+
+
+#### define role and Rolebindings 
+
+developer role 
+Permissions to manage pods in the development namespace.
+
 
 ```
+apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
+metadata:
+  name: development-role
+  namespace: development
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch", "create", "delete"]
+```
+  k8s git:(main) ✗ kubectl apply -f development-role.yaml 
+role.rbac.authorization.k8s.io/development-role created
+
+
+read-only access to all resources in the qa namespace.
+qa-role.yaml
+```
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
-  namespace: kubedaily
-  name: sangam
+  name: qa-role
+  namespace: qa
 rules:
-- apiGroups: ["", "extensions", "apps"]
-  resources: ["deployments", "replicasets", "pods"]
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]
+- apiGroups: ["*"]
+  resources: ["*"]
+  verbs: ["get", "list", "watch"]
+
 
 ```
+ k8s git:(main) ✗ kubectl apply -f qa-role.yaml
+role.rbac.authorization.k8s.io/qa-role created
 
-#### Create the role binding
+Admin Team ClusterRole (admin-clusterrole.yaml):
+Read access to all resources cluster-wide.
 
 ```
-kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: admin-clusterrole
+rules:
+- apiGroups: ["*"]
+  resources: ["*"]
+  verbs: ["get", "list", "watch"]
+
+
+```
+ kubectl apply -f admin-clusterrole.yaml
+clusterrole.rbac.authorization.k8s.io/admin-clusterrole created
+
+#### ngnix deploymemt 
+
+```
+apiVersion: apps/v1
+kind: Deployment
 metadata:
-  name: sangam-binding
-  namespace: kubedaily
-subjects:
-- kind: User
-  name: sangam
-  apiGroup: ""
-roleRef:
-  kind: Role
-  name: sangam
-  apiGroup: ""
+  name: nginx-deployment
+  namespace: development
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      serviceAccountName: dev-team-sa
+      containers:
+      - name: nginx
+        image: nginx
+
 
 ```
 
 ```
-➜  kubernetesdaily.github.io git:(main) ✗ kubectl create -f rolebinding-deployment-manager.yaml
-rolebinding.rbac.authorization.k8s.io/sangam-binding created
-```
+➜  k8s git:(main) ✗ kubectl apply -f nginx-deployment.yaml.yaml                                              
+
+deployment.apps/nginx-deployment created
+➜  k8s git:(main) ✗ kubectl get deployments -n development
+NAME               READY   UP-TO-DATE   AVAILABLE   AGE
+nginx-deployment   1/1     1            1           31s
+
+
+#### Check out put 
+
+
+ minikube service nginx-service -n development
+|-------------|---------------|-------------|---------------------------|
+|  NAMESPACE  |     NAME      | TARGET PORT |            URL            |
+|-------------|---------------|-------------|---------------------------|
+| development | nginx-service |          80 | http://192.168.49.2:31744 |
+|-------------|---------------|-------------|---------------------------|
+🏃  Starting tunnel for service nginx-service.
+|-------------|---------------|-------------|------------------------|
+|  NAMESPACE  |     NAME      | TARGET PORT |          URL           |
+|-------------|---------------|-------------|------------------------|
+| development | nginx-service |             | http://127.0.0.1:50198 |
+|-------------|---------------|-------------|------------------------|
+🎉  Opening service development/nginx-service in default browser...
+❗  Because you are using a Docker driver on darwin, the terminal needs to be open to run it.
+
+
+
+#### can qa role able to access it no 
+
+kubectl auth can-i get deployments --as=system:serviceaccount:qa:qa-role -n development
+no

data/en/k8s/sidebar.yml

@@ -14,5 +14,5 @@
   - title: Service Type - NodePort,ClusterIP,LoadBalancer
   - title: Ingress Controller
   - title: ConfigMap
-
+  - title: RBAC