From fb8efbe29fdd2348474a67ba66268d7dbd306431 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Petazzoni?= Date: Sat, 2 Oct 2021 15:35:57 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=90=20Update=20RBAC=20demo=20to=20remo?= =?UTF-8?q?ve=20--serviceaccount?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Thanks @dcromer for notifying me of that deprecation. Closes #596 --- slides/k8s/authn-authz.md | 113 ++++++++++++++++++++++---------------- 1 file changed, 66 insertions(+), 47 deletions(-) diff --git a/slides/k8s/authn-authz.md b/slides/k8s/authn-authz.md index b9d751c04..da1b59ab1 100644 --- a/slides/k8s/authn-authz.md +++ b/slides/k8s/authn-authz.md @@ -475,55 +475,82 @@ class: extra-details ## In practice -- We are going to create a service account +- We are going to run a pod -- We will use a default cluster role (`view`) +- This pod will use the default service account of its namespace -- We will bind together this role and this service account +- We will check our API permissions -- Then we will run a pod using that service account + (there shouldn't be any) -- In this pod, we will install `kubectl` and check our permissions +- Then we will bind a role to the service account ---- +- We will check that we were granted the corresponding permissions -## Creating a service account +--- -- We will call the new service account `viewer` +## Running a pod - (note that nothing prevents us from calling it `view`, like the role) +- We will run an `alpine` pod and install `kubectl` there .exercise[ -- Create the new service account: +- Run a one-time pod: ```bash - kubectl create serviceaccount viewer + kubectl run eyepod --rm -ti --restart=Never \ + --image alpine ``` -- List service accounts now: +- Install `curl`, then use it to install `kubectl`: ```bash - kubectl get serviceaccounts + apk add --no-cache curl + URLBASE=https://storage.googleapis.com/kubernetes-release/release + KUBEVER=$(curl -s $URLBASE/stable.txt) + curl -LO $URLBASE/$KUBEVER/bin/linux/amd64/kubectl + chmod +x kubectl ``` ] --- +## Checking our permissions + +- Normally, at this point, we don't have any API permission + +.exercise[ + +- Check our permissions with `kubectl`: + ```bash + kubectl get pods + ``` + +] + +- We should get a message telling us that our service account + doesn't have permissions to list "pods" in the current namespace + +- We can also make requests to the API server directly + + (use `kubectl -v6` to see the exact request URI!) + +--- + ## Binding a role to the service account - Binding a role = creating a *rolebinding* object -- We will call that object `viewercanview` +- We will call that object `can-view` - (but again, we could call it `view`) + (but again, we could call it `view` or whatever we like) .exercise[ - Create the new role binding: ```bash - kubectl create rolebinding viewercanview \ + kubectl create rolebinding can-view \ --clusterrole=view \ - --serviceaccount=default:viewer + --serviceaccount=default:default ``` ] @@ -553,9 +580,9 @@ It's important to note a couple of details in these flags... ## Users vs Service Accounts -- We used `--serviceaccount=default:viewer` +- We used `--serviceaccount=default:default` -- What would have happened if we had used `--user=default:viewer`? +- What would have happened if we had used `--user=default:default`? - we would have bound the role to a user instead of a service account @@ -571,53 +598,45 @@ It's important to note a couple of details in these flags... --- -## Testing +## Checking our new permissions -- We will run an `alpine` pod and install `kubectl` there +- We should be able to *view* things, but not to *edit* them .exercise[ -- Run a one-time pod: +- Check our permissions with `kubectl`: ```bash - kubectl run eyepod --rm -ti --restart=Never \ - --serviceaccount=viewer \ - --image alpine + kubectl get pods ``` -- Install `curl`, then use it to install `kubectl`: +- Try to create something: ```bash - apk add --no-cache curl - URLBASE=https://storage.googleapis.com/kubernetes-release/release - KUBEVER=$(curl -s $URLBASE/stable.txt) - curl -LO $URLBASE/$KUBEVER/bin/linux/amd64/kubectl - chmod +x kubectl + kubectl create deployment can-i-do-this --image=nginx ``` -] +- Exit the container with `exit` or `^D` ---- + -## Running `kubectl` in the pod +] -- We'll try to use our `view` permissions, then to create an object +--- -.exercise[ +class: extra-details -- Check that we can, indeed, view things: - ```bash - ./kubectl get all - ``` +## `kubectl run --serviceaccount` -- But that we can't create things: - ``` - ./kubectl create deployment testrbac --image=nginx - ``` +- `kubectl run` also has a `--serviceaccount` flag -- Exit the container with `exit` or `^D` +- ...But it's supposed to be deprecated "soon" - + (see [kubernetes/kubernetes#99732](https://github.com/kubernetes/kubernetes/pull/99732) for details) -] +- It's possible to specify the service account with an override: + ```bash + kubectl run my-pod -ti --image=alpine --restart=Never \ + --overrides='{ "spec": { "serviceAccountName" : "my-service-account" } }' + ``` ---