Day 23/40 - Kubernetes RBAC Explained - Role Based Access Control Kubernetes

About this video

### Comprehensive Final Summary This session, **Day 23 of the EK 2024 Series**, delves into **role-based authorization (RBAC)** in Kubernetes, providing a detailed walkthrough of creating and managing user access permissions. The session combines theoretical explanations with practical demonstrations, offering hands-on tasks and resources available in the GitHub repository for Day 23. Below is a comprehensive summary of the key topics, challenges, and solutions discussed: --- ### **Session Overview** The primary objective of this session is to demonstrate how to set up **authentication** and **authorization** for users in Kubernetes, focusing on role creation, certificate management, and API access verification. The session also emphasizes community engagement, encouraging viewers to support the instructor’s journey by achieving **200 likes and 200 comments**. --- ### **Previous Context (Day 21)** In a prior session, a new user named **Adam** was created, including the generation and approval of his certificate. However, Adam lacked access to Kubernetes resources because only **authentication** was configured, leaving **authorization** unaddressed. This session builds on that foundation by implementing RBAC to grant Adam (and later Krishna) specific permissions. --- ### **Authorization Process** 1. **Initial Access Check**: - Used the command: ```bash kubectl auth can-i get pods --as=Adam ``` - Result: Adam had **no access**, confirming the need for role-based authorization. 2. **Role Creation**: - Created a **Role** YAML file specifying: - API groups (`""` for core resources), - Resources (`pods`), - Verbs (`get`, `watch`, `list`). - Applied the Role using: ```bash kubectl apply -f role.yaml ``` 3. **RoleBinding**: - Created a **RoleBinding** YAML file to bind the Role to Adam, specifying: - Subject (user Adam), - Role reference. - Applied the RoleBinding using: ```bash kubectl apply -f rolebinding.yaml ``` 4. **Verification**: - Rechecked access with: ```bash kubectl auth can-i get pods --as=Adam ``` - Result: Adam now had **access granted**. --- ### **Logging in as Adam** - Added Adam's credentials to the kubeconfig using: ```bash kubectl config set-credentials ``` - Set a context for Adam using: ```bash kubectl config set-context ``` - Switched to Adam’s context with: ```bash kubectl config use-context Adam ``` --- ### **Certificate Issue** - Encountered an **unauthorized error** due to an **expired certificate**. - Attempted to renew the certificate using OpenSSL commands but faced mismatches between the CA certificate and key. - To bypass renewal complexities, generated a **new certificate** for a user named **Krishna**. --- ### **Updated RoleBinding** - Modified the RoleBinding to include Krishna instead of Adam. - Verified Krishna’s access with: ```bash kubectl auth can-i get pods --as=Krishna ``` - Result: Krishna’s access was successfully granted. --- ### **Final Steps** 1. **Kubeconfig Update**: - Updated kubeconfig with Krishna’s credentials and context. - Switched to Krishna’s context using: ```bash kubectl config use-context Krishna ``` 2. **Access Testing**: - Attempted to list pods but encountered issues likely caused by malformed certificates or configuration errors. - Demonstrated that Krishna could only perform permitted actions (e.g., listing pods) while being restricted from unauthorized operations (e.g., listing deployments). 3. **Direct API Calls**: - Showcased how to make REST API calls to the Kubernetes API server using `curl`, passing necessary certificates for authentication. --- ### **Key Takeaways** - **Authentication vs. Authorization**: Authentication verifies identity, while authorization defines what actions a user can perform. - **RBAC Components**: - **Roles**: Define permissions for specific resources. - **RoleBindings**: Bind Roles to users or groups. - **Hands-On Learning**: The session emphasized the importance of understanding both **declarative** (YAML-based) and **imperative** (command-based) methods for role creation. - **Troubleshooting**: Addressed common challenges like expired certificates and configuration mismatches, providing practical solutions such as regenerating certificates. --- ### **Broader Context** This session is part of a larger discussion on **Kubernetes security**, with upcoming videos covering: - **Cluster Roles**: Extending permissions across namespaces. - **

Course: Certified Kubernetes Administrator Full Course For beginners | CKA 2025

This playlist contains the complete CKA series for beginners, based on the latest 2025 curriculum. It includes 40+ videos with hands-on demos, assignments, and exam-based scenarios. We will cover everything from the basics to the Advanced, including fundamental concepts such as Docker, containers, Docker storage and networking, DNS, etc.