github/container.training
1
0
Fork 0
mirror of https://github.com/jpetazzo/container.training.git synced 2026-02-14 17:49:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
container.training/slides/exercises/polykuberbac-details.md
Jérôme Petazzoni 2cef200726 Add DMUC+RBAC exercises
2023-12-03 15:38:43 -06:00

2.3 KiB
Raw Permalink Blame History

Exercise — Enable RBAC

  • We want to enable RBAC on the "polykube" cluster

    (it doesn't matter whether we have 1 or multiple nodes)

  • Ideally, we want to have, for instance:

    • one key, certificate, and kubeconfig for a cluster admin

    • one key, certificate, and kubeconfig for a user
      (with permissions in a single namespace)

  • Bonus points: enable the NodeAuthorizer too!

  • Check the following slides for hints

Step 1

  • Enable RBAC itself!

--

  • This is done with an API server command-line flag

--

--

  • For now, only enable --authorization-mode=RBAC

Step 2

  • Our certificate doesn't work anymore, we need to generate a new one

--

  • We need a certificate that will have some (ideally all) permissions

--

  • Two options:

    • use the equivalent of "root" (identity that completely skips permission checks)

    • a "non-root" identity but which is granted permissions with RBAC

--

  • The "non-root" option looks nice, but to grant permissions, we need permissions

  • So let's start with the equivalent of "root"!

--

  • The Kubernetes equivalent of root is the group system:masters

Step 2, continued

  • We need to generate a certificate for a user belonging to group system:masters

--

  • In Kubernetes certificates, groups are encoded with the "organization" field

--

  • That corresponds to O=system:masters

--

  • In other words we need to generate a new certificate, but with a subject of:

    /CN=admin/O=system:masters/ (the CN doesn't matter)

  • That certificate should be able to interact with the API server, like before

Step 3

  • Now, all our controllers have permissions issues

  • We need to either:

    • use that system:masters cert everywhere

    • generate different certs for every controller, with the proper identities

  • Suggestion: use system-masters everywhere to begin with

    (and make sure the cluster is back on its feet)

Step 4

At this point, there are two possible forks in the road:

  1. Generate certs for the control plane controllers

    (kube-controller-manager, kube-scheduler)

  2. Generate cert(s) for the node(s) and enable NodeAuthorizer

Good luck!

Reference in New Issue View Git Blame Copy Permalink