Mastering Kubernetes One Task at a Time — RBAC Authorization with X509 Client Cert Authentication
An end-to-end example of Kubernetes Role-based access control (RBAC) authorization with User Account authentication.
Table of Contents
- Introduction
- Create KIND Cluster
- Part 1 — Create Pod, Role, and RoleBinding
- Part 2 — Create X509 Client Certs Authenticated “User”
- Part 3 — Test RBAC Authorization
- Conclusion
Introduction
True to its promise, The AWS Way — IaC in Action — A Docker and KIND Ready Amazon EC2 Node, has been my constant everyday companion since I wrote the blog a few weeks ago. I’ve been using it to create my KIND cluster and practice as many Kubernetes tasks as possible following the Kubernetes.io official guide. This single EC2 instance with the three “nodes” cluster has proven surprisingly resilient throughout the practice and testing cycle.
Taking a step further, now I’ve equipped this environment with a GitHub repository housing all my scripts under the /home/ec2-user/jdluther-kubernetes-io-tasks folder. You’re free to use these scripts for your purpose. The gist code below explains how to take advantage of these treasures. The repo is still a work in progress. I continue to add complete end-to-end scripts to make it easy to fire off the cluster and then practice these scripts one by one predictably and painlessly.
All towards the noble end-goal of Mastering Kubernetes One Task at a Time.
In this edition, I am going to present the RBAC authorization example. As you’ll see, the completeness of the scripts helps to learn and test out the concepts in a matter of a few minutes. It also provides the repeatability opportunity to play around and experiment further on your own.
I hope to bring similar demonstrations of all the other Kubernetes tasks in future posts.
Create KIND Cluster
All Kubernetes tasks will need a cluster, so we begin by creating the cluster using the Infrastructure as Code (IaC). Below are the blog and the gist code links to fire off terraform and prepare the cluster.
Please note this section would be a leitmotif of all Kubernetes tasks I am going to cover, including the present and future ones.
- Gist code — The AWS Way — IaC in Action — A Docker and KIND Ready Amazon EC2 Node-IaC Code. See the raw version for better readability and easier command copy/paste.
- See blog for more details — The AWS Way — IaC in Action — A Docker and KIND Ready Amazon EC2 Node.
Part 1 — Create Pod, Role, and RoleBinding
The entire demonstration consists of THREE parts, starting with Part I below, where we’ll create the Kubernetes role and bind the Role to a Kubernetes cluster “user” that we’d create in Part II. And, of course, we’ll also create the pod that the Role is trying to manage through its authorization specification.
Kubernetes.io — Using RBAC Authorization is the page you want to refer to for more information and learn about Kubernetes Role and RoleBinding.
Again, everything has already been bootstrapped in the EC2 instance running Docker and KIND cluster. The code below demonstrates how to execute the tasks using the provided code via the GitHub repo. You have full liberty to bypass the gist code below and instead refer to and run the code given in the script residing in the EC2 instance.
Part 2 — Create X509 Client Certs Authenticated “User”
I put “user” in quotes to emphasize the Kubernetes.io — Authenticating page explanation of the user concept in a Kubernetes cluster. And this is where the X509 Client Certs come into play.
The code below shows how to create the user rbac-test that we used in our RoleBinding manifest above, along with managing the kubectl config command to toggle between the admin and rbac-test user contexts.
Part 3 — Test RBAC Authorization
Having created the rbac-test user and learned how to switch context to make Kubernetes API requests as this user, we’re ready to test the RBAC concept using the pod, Role, and RoleBinding objects we created previously.
The code is self-explanatory. We’ve chosen a simple example to demonstrate pod activity authorization in a given namespace. Our goal is to conduct positive and negative test scenarios.
Conclusion
Role-based access control (RBAC) regulates access to computer or network resources based on the roles of individual users within an organization. Kubernetes has its own RBAC implementation compliant with its architecture.
In this blog, I’ve presented the end-to-end example code to demonstrate how RBAC Authorization works with X509 Client Cert-based User Authentication.
This Kubernetes task code is capable of running on any Kubernetes cluster. My demonstration uses the KIND cluster that I presented in my earlier The AWS Way — IaC in Action — A Docker and KIND Ready Amazon EC2 Node post.
Please take the opportunity to try it, and it runs exactly as promised. Let me know via comments otherwise.
You may also like to check out the below post as a next step:
Good luck!
If you benefited from reading the post, please 👏 a few times before parting, and help others by sharing it; I highly appreciate that!
Please follow to stay in touch, track, and be the first to get notified of all future writings on AWS Cloud, Containers, Kubernetes, and Machine Learning. Also, check all my stories on The AWS Way publication.
