본문 바로가기
CKA &. CKAD/Security

RBAC (Role Based Access Controls) and Practice Test

Clark Shim 2021. 3. 29. 21:21

 

developer-role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list", "get", "create", "update", "delete"]
- apiGroups: [""]
  resources: ["ConfigMap"]
  verbs: ["create"]
kubectl create -f developer-role.yaml

devuser-developer-binding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: devuser-developer-binding
subjects:
- kind: User
  name: dev-user
  apiGroup: rbac.authorization.k89s.io
roleRef:
  kind: Role
  name: developer
  apiGroup: rbac.authorization.k8s.io

 

kubectl create -f devuser-developer-binding.yaml

 

View RBAC

 

kubectl get roles

 

kubectl get rolebindings

kubectl describe role developer

 

kubectl describe rolebinding devuser-developer-binding

 

Check Access

 

kubectl auth can-i create deployments

 

kubectl auth can-i delete nodes

 

kubectl auth can-i create deployments --as dev-user

 

kubectl auth can-i create pods --as dev-user

 

Resource Names

 

[Practice Test]

 

ㅁ Inspect the environment and identify the authorization modes configured on the cluster.

check the kube-api server settings

 

kubectl get pods -n kube-system

kubectl describe pod kube-apiserver-controlplane -n kube-system
Containers:
  kube-apiserver:
    Container ID:  docker://9bc0393b4d595a36d831fac0bb211ac518e796cd1e69d78df8f5cd306bfcb1c3
    Image:         k8s.gcr.io/kube-apiserver:v1.19.0
    Image ID:      docker-pullable://k8s.gcr.io/kube-apiserver@sha256:522d17d35a8994637d27d1232bebd35cfae8e3e21ab359431403f2b8023e332c
    Port:          <none>
    Host Port:     <none>
    Command:
      kube-apiserver
      --advertise-address=172.17.0.67
      --allow-privileged=true
      --authorization-mode=Node,RBAC
      --client-ca-file=/etc/kubernetes/pki/ca.crt
      --enable-admission-plugins=NodeRestriction
      --enable-bootstrap-token-auth=true
      --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
      --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
      --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
      --etcd-servers=https://127.0.0.1:2379
      --insecure-port=0
      --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
      --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
      --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
      --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
      --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
      --requestheader-allowed-names=front-proxy-client
      --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
      --requestheader-extra-headers-prefix=X-Remote-Extra-
      --requestheader-group-headers=X-Remote-Group
      --requestheader-username-headers=X-Remote-User
      --secure-port=6443
      --service-account-key-file=/etc/kubernetes/pki/sa.pub
      --service-cluster-ip-range=10.96.0.0/12
      --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
      --tls-private-key-file=/etc/kubernetes/pki/apiserver.key

ㅁ How many roles exist in the default namespace?

kubectl get roles

ㅁ How many roles exist in all namespaces  together?

kubectl get roles --all-namespaces

ㅁ What are the resources the kube-proxy role in the kube-system namespace is given access to?

kubectl describe role kube-proxy -n kube-system
Name:         kube-proxy
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources   Non-Resource URLs  Resource Names  Verbs
  ---------   -----------------  --------------  -----
  configmaps  []                 [kube-proxy]    [get]

ㅁ What action can the kube-proxy role perform on configmaps

 

[get]  [list]   [delete]

kubectl describe role kube-proxy -n kube-system
Name:         kube-proxy
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources   Non-Resource URLs  Resource Names  Verbs
  ---------   -----------------  --------------  -----
  configmaps  []                 [kube-proxy]    [get]

 

ㅁ Which of the following statements are true?

 

[kube-proxy role can get details of configmap object by the name kube-proxy]

[kube-proxy role can only view and update configmap object by the name kube-proxy]

[kube-proxy role can delete the configmap it created]

 

ㅁ Which account is the kube-proxy role assigned to it?

 

[ServiceAccount: kube-proxy]

[User:kube-proxy]

[Group:system: bootstrappers:kubeadm:default-node-token]

[admin user]

[kube-system]

 

kubectl get rolebinding --all-namespaces
kubectl describe rolebinding kube-proxy -n kube-system
Name:         kube-proxy
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  Role
  Name:  kube-proxy
Subjects:
  Kind   Name                                             Namespace
  ----   ----                                             ---------
  Group  system:bootstrappers:kubeadm:default-node-token

 

ㅁ A user dev-user is created. User's details have been added to the kubeconfig file. Inspect the permissions granted to the user. Check if the user can list pods in the default namespace.

 

Use the --as dev-user option with kubectl to run commands as the dev-user

kubectl auth can-i get pod --as dev-user

 

ㅁ Create the necessary roles and role bindings required for the dev-user to create, list and delete pods in the default namespace.

 

Use the given spec

- Role: developer

- Role Resources: pods

- Role Actions: list

- Role Actions: create

- RoleBinding: dev-user-binding

- RoleBinding: Bound to dev-user

 

role-def.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer
  namespace: blue
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create", "list", "delete"]
kubectl create -f role-def.yaml

 

rolebinding-def.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev-user-binding
subjects:
- kind: User
  name: dev-user
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: developer
  apiGroup: rbac.authorization.k8s.io
kubectl create -f rolebinding-def.yaml

 

ㅁ The dev-user is trying to get details about the dark-blue-app pod in the blue namespace. Investigate and fix the issue.

(We have created the required roles and rolebindings, but something seems to be wrong.)

kubectl auth can-i describe pod -n blue --as dev-user
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: "2021-03-29T12:23:17Z"
  name: developer
  namespace: blue
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - watch
  - create
  - delete
  - describe

ㅁ Grant the dev-user permissions to create deployments in the blue namespaces

Remember to add both groups "apps" and "extensions"

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer
  namespace: blue
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - watch
  - create
  - delete
  - describe
- apiGroups:
  - extensions
  - apps
  resources:
  - deployments
  verbs:
  - get
  - list
  - create
  - delete

'CKA &. CKAD > Security' 카테고리의 다른 글

Practice Test - Securing Image  (0) 2021.03.30
Cluster Roles  (0) 2021.03.29
Authorization  (0) 2021.03.29
API Groups  (0) 2021.03.29
Practice Test - KubeConfig  (0) 2021.03.29

'CKA &. CKAD/Security' Related Articles

티스토리툴바