When we are talking about security in Kubernetes, one of the first things we must work on are the Service Accounts and roles attached to those. Solving these CKA exercises you will lear about this topic easily.
Service Accounts are essential to impersonate and consume resources in our clusters, they can be used by services, applications or even users. We can create roles based on Kubernetes’ permissions and binding those to Service Accounts, so we can get granted those permissions.
We can choose between Roles and ClusterRoles, where the first ones are created in the context of a namespace and the second one are created at Cluster level, so it can be reused across different namespaces and contexts.
Also, when creating the binding to add that role to a Service Account we can choose between RoleBinding and ClusterRoleBinding, where the first one does the binding at context level and the second one at the cluster lever, making it available for all the resources from the cluster specified on the permissions attached to it.
If you like it, don’t forget to see other exercises on KillerCoda and read more posts about Kubernetes.
Used Commands:
- kubectl -n <namespace> create sa <sa_name>
To create a Service Account in a specific Namespace - kubectl describe clusterrole <clusterrole_name>
To see permissions attached to a ClusterRole - kubectl create clusterrolebinding <binding_name> –clusterrole <clusterrole_name> –serviceaccount <namespace>:<serviceaccount>
To create a ClusterRoleBinding between a ClusterRole an a Service Account (similar can be run for RoleBinding and Roles, but in the case of normal RoleBinding we must specify the Namespace) - kubectl create clusterrole <role_name> –verb <what_it_does> –resource <list_of_resources>
Create a ClusterRole doing X actions on Y resources. Similar can be executed for normal Role. - kubectl auth can-i <verb> <resource> –as system:serviceaccount:<namespace>:<service_account> -n <namespace>
Checks if the Service Account has permissions to do the specified action on the declared resources from the written Namespace