Ajeet Raina Docker Captain, ARM Innovator & Docker Bangalore Community Leader.

Limit access to Kubernetes Resources using RBAC – KubeLabs Glossary

7 min read


RBAC is a security design that restricts access to valuable resources based on the role the user holds, hence the name role-based. To understand the importance and the need of having RBAC policies in place, let’s consider a system that doesn’t use it. Let’s say that you have an HR management solution, but the only security access measure used is that users must authenticate themselves through a username and a password. Having provided their credentials, users gain full access to every module in the system (recruitment, training, staff performance, salaries, etc.). A slightly more secure system will differentiate between regular user access and “admin” access, with the latter providing potentially destructive privileges. For example, ordinary users cannot delete a module from the system, whereas an administrator can. But still, users without admin access can read and modify the module’s data regardless of whether their current job entails doing this.

Diagram of request handling steps for Kubernetes API request

If you worked as a Linux administrator for any length of time, you appreciate the importance of having a security system that implements a security matrix of access and authority. In the old days of Linux and UNIX, you could either be a “normal” user with minimal access to the system resources, or you can have “root” access. Root access virtually gives you full control over the machine that you can accidentally bring the whole system down. Needless to say that if an intruder could gain access to this root account, your entire system is at high risk. Accordingly, RBAC systems were introduced.

In a system that uses RBAC, there is minimal mention of the “superuser” or the administrator who has access to everything. Instead, there’s more reference to the access level, the role, and the privilege. Even administrators can be categorized based on their job requirements. So, backup administrators should have full access to the tools that they use to do backups. But they shouldn’t be able to stop the webserver or change the system’s date and time.

Creating a Kubernetes User Account Using X509 Client Certificate


  • Open https://labs.play-with-k8s.com/
  • Follow https://collabnix.github.io/kubelabs/kube101.html to create 3 Node K8s Cluster

Creating Client Certificates

To create a client certificate in PWK you need to have openssl tool installed. To do that run the follwoing command

[node1 ~]$ yum install openssl

Let’s create a user account for our labs. Kubernetes supports several user authentication methods. It also supports combining more than one to authenticate a user. If one of the chained methods fail, the user is not verified. In this example, we’ll use only one authentication method, the X509 certificate to create a user account called div.

First, we need to create the client key:

[node1 ~]$ openssl genrsa -out div.key 2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)

Then, we need to create a certificate signing request:

[node1 ~]$ openssl req -new -key div.key -out div.csr -subj "/CN=div"

Next we need to copy the certificate and key that exists in kubernetes (you can use your own CA, but for this lab we are restricting ourselves to pre-existing certificate and key for kubernetes cluster). Once you copy the certificate and the key to the root folder you should have displayed files in your root folder

[node1 ~]$ cd /etc/kubernetes/pki/
[node1 pki]$ cp ca.crt ca.key /root/
[node1 pki]$ cd $home
[node1 ~]$ ls
anaconda-ks.cfg  ca.crt  ca.key  div.csr  div.key

Now lets sign the user key and signing request with cluster certificate and key.

[node1 ~]$ openssl x509 -req -in div.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out div.crt -days 300
Signature ok
Getting CA Private Key

Adding user’s credentials to our kubeconfig file

[node1 ~]$ kubectl config set-credentials div --client-certificate=div.crt --client-key=div.key
User "div" set.

Testing permissions for the user

[node1 ~]$ kubectl run apache --image=apache
kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.deployment.apps/apache created
[node1 ~]$ kubectl get po
NAME                      READY   STATUS    RESTARTS   AGE
apache-64df49d484-2lfbb   0/1     Pending   0          6s
[node1 ~]$ kubectl --user=div get pods
Error from server (Forbidden): pods is forbidden: User "div" cannot list resource "pods" in API group "" in the namespace "default"

Creating Role and Role Binding

A Role in Kubernetes is as a Group in other RBAC implementations. Instead of defining different authorization rules for each user, you attach those rules to a group and add users to it. When users resign, for example, you only need to remove them from one place. Similarly, when a new user joins the company or gets transferred to another department, you need to change the roles they’re associated with.

Let’s create a role that enables our user to execute the get pods command:

[node1 ~]$ cat > role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
 name: get-pods
 - apiGroups: ["*"]
   resources: ["pods"]
   verbs: ["list"]
[node1 ~]$ kubectl apply -f role.yaml
role.rbac.authorization.k8s.io/get-pods created

Now, we have a role that enables its users to list the pods on the default namespace. But, in order for the div user to be able to execute the get pods, it needs to get bound to this role.

Kubernetes offers the RoleBinding resource to link roles with their objects (for example, users). Let’s add role-binding.yaml file to look as follows:

[node1 ~]$ cat > role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
  name: div-get-pods
- kind: User
  name: div
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: get-pods
  apiGroup: rbac.authorization.k8s.io
[node1 ~]$ kubectl apply -f role-binding.yaml
rolebinding.rbac.authorization.k8s.io/div-get-pods created

Now let’s see if div can list pods on the cluster

[node1 ~]$ kubectl --user=div get pods
NAME                       READY   STATUS    RESTARTS   AGE
my-nginx-6dd86d77d-4t879   1/1     Running   0          28m
my-nginx-6dd86d77d-l6dzk   1/1     Running   0          28m
my-nginx-6dd86d77d-l8ct6   1/1     Running   0          28m
tomcat-5bf5db7bbd-xvwlr    1/1     Running   0          3m19s

Now let’s try to delete the tomcat pod using the user div.

[node1 ~]$ kubectl --user=div delete pods tomcat-5bf5db7bbd-xvwlr
Error from server (Forbidden): pods "tomcat-5bf5db7bbd-xvwlr" is forbidden: User "div" cannot delete resource "pods" in API group "" in the namespace "default"

As you can see, the user is not able to delete the pods, yet it was able to list them. To understand why this behaviour happened, let’s have a look at the get-pods Role rules:

• The apiGroups is an array that contains the different API namespaces that this rule applies to. For example, a Pod definition uses apiVersion: v1. In our case, we chose "[\*]" which means any API namespace.
• The resources is an array that defines which resources this rule applies to. For example, we could give this user access to pods, jobs, and deployments.
• The verbs in an array that contains the allowed verbs. The verb in Kubernetes defines the type of action you need to apply to the resource. For example, the list verb is used against collections while "get" is used against a single resource. So, given the current access level granted to div, a command like kubectl --user=div get pods hostpath-pd will fail while kubectl --user=div get pods will get accepted. The reason is that the first command used the get verb because it requested information about a single pod. For more information about the different verbs used by Kubernetes check the official documentation.

Let’s assume that we need div to have read-only access to the pods, both as a collection and as a single resource (get and list verbs). But we don’t want it to delete Pods directly. Instead, we grant it access to the Deployment resource and, through Deployments, it can delete and recreate pods (like though rolling updates). A policy to achieve this may look as follows:

[node1 ~]$ rm -f role.yaml
[node1 ~]$ cat > role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
 name: get-pods
 - apiGroups: ["*"]
   resources: ["pods"]
   verbs: ["list","get","watch"]
 - apiGroups: ["extensions","apps"]
   resources: ["deployments"]
   verbs: ["get","list","watch","create","update","patch","delete"]
[node1 ~]$ kubectl apply -f role.yaml
role.rbac.authorization.k8s.io/get-pods configured

We made two changes here:

• Added the get and watch to the allowed verbs against Pods.
• Created a new rule that targets Deployments and specified the necessary verbs to give the user full permissions. Now, let’s test the different actions that our user is allowed or not allowed to do: First, we create a simple Nginx deployment :
[node1 ~]$ cat > deployment.yaml
apiVersion: apps/v1
kind: Deployment
 name: nginx-deployment
   app: nginx
 replicas: 3
     app: nginx
       app: nginx
     - name: nginx
       image: nginx:1.7.9
       - containerPort: 80
[node1 ~]$ kubectl --user=div get po
NAME                      READY   STATUS    RESTARTS   AGE
tomcat-5bf5db7bbd-xvwlr   1/1     Running   0          18m
[node1 ~]$ kubectl --user=div apply -f deployment.yaml
deployment.apps/nginx-deployment created
[node1 ~]$ kubectl --user=div get po
NAME                               READY   STATUS              RESTARTS   AGE
nginx-deployment-6dd86d77d-bccwq   0/1     Pending             0          6s
nginx-deployment-6dd86d77d-bhjmn   0/1     ContainerCreating   0          6s
nginx-deployment-6dd86d77d-hfhhm   0/1     ContainerCreating   0          6s
tomcat-5bf5db7bbd-xvwlr            1/1     Running             0          18m

Get a single Pod

[node1 ~]$ kubectl --user=div get po nginx-deployment-6dd86d77d-hfhhm
NAME                               READY   STATUS    RESTARTS   AGE
nginx-deployment-6dd86d77d-hfhhm   1/1     Running   0          95s

What about deleting this Pod

[node1 ~]$ kubectl --user=div delete po nginx-deployment-6dd86d77d-hfhhm
Error from server (Forbidden): pods "nginx-deployment-6dd86d77d-hfhhm" is forbidden: User "div" cannot delete resource "pods" in API group "" in the namespace "default"

OK so we cannot directly delete Pods. But we should be able to delete them by deleting the deployment.

[node1 ~]$ kubectl --user=div delete -f deployment.yaml
deployment.apps "nginx-deployment" deleted
[node1 ~]$ kubectl --user=div get po
NAME                      READY   STATUS    RESTARTS   AGE
tomcat-5bf5db7bbd-xvwlr   1/1     Running   0          27m

Notice that in all the preceding examples, we didn’t specify a namespace, so our Role is applied to the default namespace. A Role is bound to the namespace defined in its configuration. So, if we changed the metadata of our Role to look like this:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
  name: get-pods
  namespace: web

The div user wouldn’t have access to the pods or the deployments unless working in the web namespace.

But, sometimes you need to specify Roles that are not bound to a specific namespace but rather to the cluster as a whole. That’s when the ClusterRole comes into play.

Cluster-Wide Authorization Using ClusterRoles

ClusterRoles work the same as Roles, but they are applied to the cluster as a whole. They are typically used with service accounts (accounts used and managed internally by the cluster). For example, the Kubernetes External DNS Incubator (https://github.com/kubernetes-incubator/external-dns) project uses a ClusterRole to gain the necessary permissions it needs to work. The External DNS Incubator can be used to utilize external DNS servers for Kubernetes service discovery. The application needs read-only access to Services and Ingresses on all namespaces, but it shouldn’t be granted any further privileges (like modifying or deleting resources). The ClusterRole for such an account should look as follows:

[node1 ~]$ cat > cluster-role-binding.yaml
apiVersion: v1
kind: ServiceAccount
 name: external-dns
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
 name: external-dns
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["services"]
  verbs: ["get","watch","list"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["ingresses"]
  verbs: ["get","watch","list"]
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
  name: external-dns-viewer
- kind: ServiceAccount
  name: external-dns
  namespace: default
  kind: ClusterRole
  name: external-dns
  apiGroup: rbac.authorization.k8s.io
[node1 ~]$ kubectl apply -f cluster-role-binding.yaml
serviceaccount/external-dns created
clusterrole.rbac.authorization.k8s.io/external-dns created
clusterrolebinding.rbac.authorization.k8s.io/external-dns-viewer created

The above definition contains three definitions:

• A service account to use with the container running the application.
• A ClusterRole that grants the read-only verbs to the Service and Ingress resources.
• A ClusterRoleBinding which works that same as a RoleBinding but with ClusterRoles. The subject here is ServiceAccount rather than User, and its name is external-dns.

Another everyday use case with ClusterRoles is granting cluster administrators different privileges depending on their roles. For example, a junior cluster operator should have read-only access to resources to get acquainted; then more access can be granted later on.


• Kubernetes uses RBAC to control different access levels to its resources depending on the rules set in Roles or ClusterRoles.
• Roles and ClusterRoles use API namespaces, verbs and resources to secure access.
• Roles and ClusterRoles are ineffective unless they are linked to a subject (User, serviceAccount...etc) through RoleBinding or ClusterRoleBinding.
• Roles work within the constraints of a namespace. It would default to the “default” namespace if none was specified.
• ClusterRoles are not bound to a specific namespace as they apply to the cluster as a whole.




Have Queries? Join https://launchpass.com/collabnix

Ajeet Raina Docker Captain, ARM Innovator & Docker Bangalore Community Leader.

57 Replies to “Limit access to Kubernetes Resources using RBAC – KubeLabs…”

  1. What i don’t realize is if truth be told how you’re now not really much more smartly-appreciated than you may be right now. You’re very intelligent. You already know therefore significantly with regards to this subject, made me for my part consider it from a lot of numerous angles. Its like women and men are not fascinated except it is something to do with Girl gaga! Your personal stuffs nice. All the time take care of it up!

  2. I’ll immediately take hold of your rss as I can not in finding your email subscription hyperlink or e-newsletter service. Do you’ve any? Kindly let me know so that I may subscribe. Thanks.

  3. You really make it seem so easy with your presentation but I find this topic to be actually something that I think I would never understand. It seems too complex and very broad for me. I am looking forward for your next post, I will try to get the hang of it!

  4. I discovered your blog site on google and check a few of your early posts. Continue to keep up the very good operate. I just additional up your RSS feed to my MSN News Reader. Seeking forward to reading more from you later on!…

  5. Hiya! I know this is kinda off topic however I’d figured I’d ask. Would you be interested in trading links or maybe guest writing a blog post or vice-versa? My site covers a lot of the same topics as yours and I feel we could greatly benefit from each other. If you happen to be interested feel free to send me an email. I look forward to hearing from you! Great blog by the way!

  6. I’ve been exploring for a little bit for any high quality articles or blog posts in this sort of house . Exploring in Yahoo I finally stumbled upon this website. Reading this information So i’m happy to convey that I’ve an incredibly excellent uncanny feeling I came upon exactly what I needed. I such a lot without a doubt will make certain to do not fail to remember this web site and give it a look on a constant basis.

  7. Hi! This post could not be written any better! Reading this post reminds me of my old room mate! He always kept talking about this. I will forward this post to him. Pretty sure he will have a good read. Thanks for sharing!

  8. Hi! This is my 1st comment here so I just wanted to give a quick shout out and say I genuinely enjoy reading through your blog posts. Can you recommend any other blogs/websites/forums that deal with the same topics? Appreciate it!

  9. I do accept as true with all the concepts you’ve presented in your post. They are really convincing and will definitely work. Still, the posts are very brief for novices. May just you please extend them a bit from next time? Thanks for the post.

  10. Hey there! Do you know if they make any plugins to assist with Search Engine Optimization? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good gains. If you know of any please share. Appreciate it!

  11. Cool blog! Is your theme custom made or did you download it from somewhere? A theme like yours with a few simple tweeks would really make my blog stand out. Please let me know where you got your design. Bless you

  12. Hey very cool website!! Guy .. Beautiful .. Amazing .. I’ll bookmark your web site and take the feeds additionallyKI am satisfied to search out numerous helpful info here within the post, we’d like develop more techniques on this regard, thanks for sharing. . . . . .

  13. I want to show appreciation to the writer just for bailing me out of this type of trouble. As a result of exploring through the online world and obtaining suggestions which are not pleasant, I thought my entire life was done. Existing minus the answers to the difficulties you’ve sorted out through your good article is a critical case, and the ones which could have negatively damaged my career if I hadn’t encountered your blog. Your own know-how and kindness in dealing with every item was vital. I am not sure what I would’ve done if I hadn’t discovered such a step like this. I am able to at this moment look ahead to my future. Thanks so much for this impressive and effective guide. I won’t think twice to endorse your web sites to anybody who needs and wants support on this issue.

  14. hey there and thank you for your info – I’ve definitely picked up anything new from right here. I did however expertise a few technical points using this website, since I experienced to reload the web site many times previous to I could get it to load correctly. I had been wondering if your web hosting is OK? Not that I’m complaining, but sluggish loading instances times will sometimes affect your placement in google and could damage your quality score if ads and marketing with Adwords. Anyway I am adding this RSS to my email and can look out for a lot more of your respective intriguing content. Make sure you update this again very soon..

  15. There are certainly lots of details like that to take into consideration. That is a nice level to bring up. I supply the ideas above as normal inspiration but clearly there are questions like the one you carry up where a very powerful thing will probably be working in honest good faith. I don?t know if finest practices have emerged around things like that, however I’m sure that your job is clearly recognized as a good game. Both girls and boys really feel the impression of just a moment’s pleasure, for the remainder of their lives.

  16. Hello! This post could not be written any better! Reading through this post reminds me of my old room mate! He always kept talking about this. I will forward this article to him. Pretty sure he will have a good read. Many thanks for sharing!

  17. I used to be suggested this web site by way of my cousin. I am no longer positive whether this post is written by means of him as no one else know such precise about my difficulty. You are incredible! Thanks!

  18. I cling on to listening to the news bulletin speak about getting boundless online grant applications so I have been looking around for the most excellent site to get one. Could you tell me please, where could i get some?

  19. Hey very cool web site!! Guy .. Excellent .. Amazing .. I will bookmark your site and take the feeds also?KI’m happy to seek out numerous helpful information right here in the submit, we’d like work out more techniques on this regard, thanks for sharing. . . . . .

  20. Hi there! I know this is kinda off topic however , I’d figured I’d ask. Would you be interested in trading links or maybe guest writing a blog article or vice-versa? My blog discusses a lot of the same subjects as yours and I believe we could greatly benefit from each other. If you might be interested feel free to send me an e-mail. I look forward to hearing from you! Fantastic blog by the way!

  21. Hello just wanted to give you a brief heads up and let you know a few of the images aren’t loading correctly. I’m not sure why but I think its a linking issue. I’ve tried it in two different internet browsers and both show the same outcome.

  22. I have learned new things through the blog post. One other thing I have seen is that generally, FSBO sellers are going to reject an individual. Remember, they would prefer not to ever use your companies. But if you maintain a reliable, professional relationship, offering aid and keeping contact for around four to five weeks, you will usually be able to win a discussion. From there, a house listing follows. Thank you

  23. Simply a smiling visitor here to share the love (:, btw outstanding pattern. “Everything should be made as simple as possible, but not one bit simpler.” by Albert Einstein.

  24. Yesterday, while I was at work, my sister stole my apple ipad and tested to see if it can survive a 40 foot drop, just so she can be a youtube sensation. My iPad is now broken and she has 83 views. I know this is completely off topic but I had to share it with someone!

  25. A lot of of what you point out is supprisingly precise and that makes me wonder the reason why I had not looked at this in this light before. This piece truly did switch the light on for me as far as this specific subject matter goes. However there is just one point I am not too cozy with and whilst I attempt to reconcile that with the actual central theme of the position, let me observe what the rest of your subscribers have to say.Nicely done.

  26. Hello there! This is kind of off topic but I need some guidance from an established blog. Is it hard to set up your own blog? I’m not very techincal but I can figure things out pretty fast. I’m thinking about making my own but I’m not sure where to start. Do you have any ideas or suggestions? Many thanks

  27. An attention-grabbing dialogue is price comment. I feel that it is best to write more on this subject, it won’t be a taboo topic but usually individuals are not sufficient to speak on such topics. To the next. Cheers

Leave a Reply

Your email address will not be published.

© Copyright Collabnix Inc

Built for Collabnix Community, by Community