🕸 Kubernetes RBAC: A Guide for User Creation, Role Assignment, and Access Control
In Kubernetes, Role-Based Access Control (RBAC) is critical for controlling access to resources in the cluster. It allows admins to define who can perform specific actions (like creating or deleting pods) and on which resources (like pods, services, etc.). This guide will help you fully understand how to set up and manage RBAC, from creating users to assigning roles and verifying access.
Prerequisites
Before we begin, make sure you have:
- A running Kubernetes cluster (like Minikube, AWS EKS, or GKE)
kubectlinstalled and configured- Basic knowledge of Kubernetes resources (pods, services, etc.)
Step 1: Ensure RBAC is Enabled in Your Cluster
Before diving into user creation, you need to confirm that RBAC is enabled. Managed Kubernetes services (like AWS EKS, GKE) generally enable RBAC by default, but if you’re running a local cluster (e.g., Minikube), you’ll need to check or enable it.
1.1 Check if RBAC is enabled
Run the following command to see if RBAC is active in your Kubernetes cluster:
kubectl api-versions | grep rbacIf RBAC is enabled, you’ll see something like:
rbac.authorization.k8s.io/v1
rbac.authorization.k8s.io/v1beta11.2 Enable RBAC (if it’s not enabled)
If you’re using Minikube or another local cluster and RBAC is not enabled, you can start Minikube with RBAC enabled:
minikube start --extra-config=apiserver.Authorization.Mode=RBACStep 2: Create a New Kubernetes User
Kubernetes doesn’t manage users directly, but you can authenticate users using client certificates. Follow these steps to create a new user.
2.1 Generate the user’s private key and certificate signing request (CSR)
Use OpenSSL to create a private key and a certificate signing request (CSR) for the user:
openssl genrsa -out user.key 2048
openssl req -new -key user.key -out user.csr -subj "/CN=user/O=dev-team"CN=user: This is the common name (the username).O=dev-team: The organization, which is useful for grouping users (you can create multiple users in the same group).
2.2 Submit the CSR to Kubernetes
You need to create a Kubernetes CSR object so that the Kubernetes API server can sign the user’s certificate:
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: user-csr
spec:
request: $(cat user.csr | base64 | tr -d '\n')
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 31536000 # Valid for one year
usages:
- client auth
EOF2.3 Approve the CSR
Once the CSR is created, an admin must approve it:
kubectl certificate approve user-csr2.4 Retrieve the signed certificate
After approval, you can extract the signed certificate:
kubectl get csr user-csr -o jsonpath='{.status.certificate}' | base64 --decode > user.crt2.5 Set up the user in your kubeconfig
Finally, configure your kubeconfig so the user can authenticate with the Kubernetes cluster using their new certificate:
kubectl config set-credentials user --client-certificate=user.crt --client-key=user.key --embed-certs=trueStep 3: Assign Roles Using RBAC
Now that your user is created, let’s assign specific permissions using Roles and RoleBindings.
3.1 Create a Role
A Role in Kubernetes defines a set of permissions within a namespace. Here’s an example of a role that allows the user to list, get, and watch pods in the default namespace:
# role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: read-pods
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]Apply the role:
kubectl apply -f role.yaml3.2 Bind the Role to the User
Next, we bind this Role to the user by creating a RoleBinding. This gives the user the defined permissions in the default namespace.
# rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods-binding
namespace: default
subjects:
- kind: User
name: user
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: read-pods
apiGroup: rbac.authorization.k8s.ioApply the RoleBinding:
kubectl apply -f rolebinding.yamlStep 4: Verify User Access
Now that roles are assigned, it’s time to verify what actions the user can perform.
4.1 Switch to the user’s context
Create a new context for the user and switch to it:
kubectl config set-context user-context --cluster=minikube --namespace=default --user=user
kubectl config use-context user-context4.2 Use kubectl auth can-i to check permissions
Use the kubectl auth can-i command to verify what actions the user can or cannot perform:
- Can the user list pods?
kubectl auth can-i list pods- Output:
yes(because the user haslistpermission on pods) - Can the user delete pods?
kubectl auth can-i delete pods- Output:
no(because the role doesn’t grantdeletepermission)
This ensures that the user’s access is restricted to only the permissions assigned in the Role.
Step 5: Modify Access Permissions
If you need to grant the user more permissions, such as the ability to delete pods, you can modify the Role.
5.1 Update the Role
Modify the Role to add the delete verb:
# role.yaml (updated)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: read-pods
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch", "delete"] # Added 'delete'Apply the updated Role:
kubectl apply -f role.yaml5.2 Verify the updated access
Now, verify the user’s access again:
kubectl auth can-i delete podsOutput: yes (since we added the delete permission)
Step 6: Clean Up
When you’re done, you may want to remove the user or revoke their permissions.
6.1 Delete the RoleBinding and Role
To revoke the user’s access:
kubectl delete rolebinding read-pods-binding --namespace=default
kubectl delete role read-pods --namespace=default6.2 Remove the user from kubeconfig
To remove the user and their context from kubeconfig:
kubectl config unset users.user
kubectl config delete-context user-contextConclusion
In this post, we covered how to:
- Ensure RBAC is enabled in your Kubernetes cluster.
- Create a new user using client certificates.
- Assign roles and bind them to the user using RBAC.
- Verify and modify user access with
kubectl auth can-i. - Remove users and clean up when necessary.
With Kubernetes RBAC, you can enforce fine-grained access control, ensuring each user has exactly the permissions they need and nothing more. By mastering these concepts, you can secure your cluster while maintaining the flexibility of role-based permissions.
