K8s: Grant permissions on users and groups - Wed, Aug 3, 2022
K8s: Grant permissions on users and groups
In one of my recent snippets I wrote how to create a user using certificate based authentication . In this snippet I show how to manage authorization for users and groups using RBAC .
In that last snippet I created a user named john
belonging to the organization jeeatwork
by giving the csr the subject /CN=john/O=jeeatwork
. To bind john
to a certain role, a rolebinding needs to be created:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: view-test
namespace: test
subjects:
- kind: User
name: john
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
By using kind: User
I can bind a user directly to the role view
which allows viewing
all resources. Since the role binding is located in the namespace test
, the view
role is limited to that namespace.
Instead of using the user subject I could have used john’s group jeeatwork
as well as a subject:
subjects:
- kind: Group
name: jeeatwork
apiGroup: rbac.authorization.k8s.io
This group was never created explicitly but rather implicitly when using the subject dn /CN=john/O=jeeatwork
.