K8s: Grant permissions on users and groups - Wed, Aug 3, 2022
K8s: Grant permissions on users and groups
In one of my recent snippets I wrote how to create a user using certificate based authentication . In this snippet I show how to manage authorization for users and groups using RBAC .
In that last snippet I created a user named john belonging to the organization jeeatwork by giving the csr the subject /CN=john/O=jeeatwork. To bind john to a certain role, a rolebinding needs to be created:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: view-test
namespace: test
subjects:
- kind: User
name: john
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
By using kind: User I can bind a user directly to the role view which allows viewing all resources. Since the role binding is located in the namespace test, the view role is limited to that namespace.
Instead of using the user subject I could have used john’s group jeeatwork as well as a subject:
subjects:
- kind: Group
name: jeeatwork
apiGroup: rbac.authorization.k8s.io
This group was never created explicitly but rather implicitly when using the subject dn /CN=john/O=jeeatwork.