![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![[FREE EBOOKS] The Kubernetes Bible, The Ultimate Linux Shell Scripting Guide & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
.png?#)
.jpg?#)
_Christophe_Coat_Alamy.jpg?#)
![Rapidus in Talks With Apple as It Accelerates Toward 2nm Chip Production [Report]](https://www.iclarified.com/images/news/96937/96937/96937-640.jpg)
Implementing Role-Based Access Control (RBAC) in Minikube
Article by Noble Mutuwa Mulaudzi: DevOps Engineer Role-Based Access Control (RBAC) allows you to define permissions for users in a Kubernetes cluster. This guide walks through setting up RBAC in Minikube using a ServiceAccount. ## Understanding Key RBAC Terms Before implementing RBAC, it's important to understand the main concepts: Role: Defines a set of permissions within a namespace. ClusterRole: Similar to a Role but applies across the entire cluster. RoleBinding: Associates a Role with a user, group, or ServiceAccount within a specific namespace. ClusterRoleBinding: Similar to RoleBinding but applies cluster-wide. ServiceAccount: An account used by applications running inside the cluster to interact with Kubernetes resources. ## Why Implement RBAC? RBAC is crucial for securing your Kubernetes environment by: Restricting Access: Prevents unauthorized users from making changes. Least Privilege Principle: Users and services only get the minimum permissions needed. Enhanced Security: Reduces the risk of accidental or malicious actions. Compliance and Auditability: Helps meet security policies and regulatory requirements. ## Step 1: Create a ServiceAccount First, create a ServiceAccount named dev-user in the default namespace. apiVersion: v1 kind: ServiceAccount metadata: name: dev-user namespace: default Apply the configuration: kubectl apply -f sa.yaml ## Step 2: Create a Role Define a Role that grants limited permissions. The following configuration allows listing and getting pods. apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pod-reader namespace: default rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"] Apply the role: kubectl apply -f role.yaml Step 3: Bind the Role to the ServiceAccount Create a RoleBinding to associate the pod-reader role with the dev-user ServiceAccount. apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: pod-reader-binding namespace: default subjects: - kind: ServiceAccount name: dev-user namespace: default roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io Apply the binding: kubectl apply -f rolebinding.yaml ## Step 4: Get a Token for the ServiceAccount Run the following command to generate a token: kubectl create token dev-user --namespace default This token is required for authentication. Step 5: Use the Token to Authenticate 1. Extract the token: TOKEN=$(kubectl create token dev-user --namespace default) 2. Set up a new context: kubectl config set-credentials dev-user --token=$TOKEN kubectl config set-context dev-user-context --cluster=minikube --user=dev-user kubectl config use-context dev-user-context 3. Verify access: kubectl get pods You should be able to list pods but not create, delete, or modify them. Step 6: Test Restricted Access Try running: kubectl delete pod It should fail due to insufficient permissions. ## Conclusion This setup ensures that dev-user has restricted access based on RBAC rules. You can extend this setup to include permissions for additional resources like services and deployments if needed.
Article by Noble Mutuwa Mulaudzi: DevOps Engineer
Role-Based Access Control (RBAC) allows you to define permissions for users in a Kubernetes cluster. This guide walks through setting up RBAC in Minikube using a ServiceAccount.
## Understanding Key RBAC Terms
Before implementing RBAC, it's important to understand the main concepts:
- Role: Defines a set of permissions within a namespace.
- ClusterRole: Similar to a Role but applies across the entire cluster.
- RoleBinding: Associates a Role with a user, group, or ServiceAccount within a specific namespace.
- ClusterRoleBinding: Similar to RoleBinding but applies cluster-wide.
- ServiceAccount: An account used by applications running inside the cluster to interact with Kubernetes resources.
## Why Implement RBAC?
RBAC is crucial for securing your Kubernetes environment by:
- Restricting Access: Prevents unauthorized users from making changes.
- Least Privilege Principle: Users and services only get the minimum permissions needed.
- Enhanced Security: Reduces the risk of accidental or malicious actions.
- Compliance and Auditability: Helps meet security policies and regulatory requirements.
## Step 1: Create a ServiceAccount
First, create a ServiceAccount named dev-user in the default namespace.
apiVersion: v1
kind: ServiceAccount
metadata:
name: dev-user
namespace: default
Apply the configuration:
kubectl apply -f sa.yaml
## Step 2: Create a Role
Define a Role that grants limited permissions. The following configuration allows listing and getting pods.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
namespace: default
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
Apply the role:
kubectl apply -f role.yaml
Step 3: Bind the Role to the ServiceAccount
Create a RoleBinding to associate the pod-reader role with the dev-user ServiceAccount.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pod-reader-binding
namespace: default
subjects:
- kind: ServiceAccount
name: dev-user
namespace: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
Apply the binding:
kubectl apply -f rolebinding.yaml
## Step 4: Get a Token for the ServiceAccount
Run the following command to generate a token:
kubectl create token dev-user --namespace default
This token is required for authentication.
Step 5: Use the Token to Authenticate
1. Extract the token:
TOKEN=$(kubectl create token dev-user --namespace default)
2. Set up a new context:
kubectl config set-credentials dev-user --token=$TOKEN
kubectl config set-context dev-user-context --cluster=minikube --user=dev-user
kubectl config use-context dev-user-context
3. Verify access:
kubectl get pods
You should be able to list pods but not create, delete, or modify them.
Step 6: Test Restricted Access
Try running:
kubectl delete pod
It should fail due to insufficient permissions.
## Conclusion
This setup ensures that dev-user has restricted access based on RBAC rules. You can extend this setup to include permissions for additional resources like services and deployments if needed.
