IAM and RBAC @ KUBERNETES
Kubernates IAM(identity acess management) and creation of config file for Kubectl(from scratch) thereAfter assigning role and rolebinding(RBAC → role based acess control)
IAM stands for identity acess management ,Identity of IAM refers to the authentication part of kubernetes , ie certificate based authentication (by default in kubernetes). In this blog we will be deleaing with rbac(role based acess controller)where i will be explaing how to do role and roleBinding that helps to achive restrictions on the user ie on various action/verb ,various resourses or on various api versions that belongs under the scope of namespaces .
Identity part of IAM
Identity reffers to the Authentication part(Here certificate based authentication) .which deals with the following steps:-
STEP1:Generate private key on local computer(which can be created on linux OS as it has inbuilt private key generator namely OPENSSL)
STEP2:With the help of the private key we need to create the CSR ie Certificate Signing Request as we there is not need of sharing our key dirtectly to any one.
STEP3:now what we need to do is we need to send the CSR file to the Master of kubernetes ,where ever the cluster is running .
STEP4:getting the CSR signed with the help of CA present in the Master node of k8s cluster ,which converts the CSR to CRT
STEP5:Now getting the CRT file to the local system from where user will be using the cluster via kubectl command
so ,first of all what we all need to do is create a private key that will be stored in the file called sonu.key with the size of 1024 bytes (size >slower). here genrsa (algo) is the way to convert the private key to public and very diffcult to trace private key back .
openssl genrsa -out sonu.key 1024
with the help of which we can create the .csr file ie certificate signing request file
openssl req -new -key sonu.key -out sonu.csr
which we will get it signed by certificate authority
(CA) that is present in the master node and once the csr file is signed it gets converteted into .crt file ie certificate file and remember we need to copy the CSR file to the directory where CA is present ie in /etc/kubernetes/pki , and this location we need to run the following command.
openssl x509 -req -in sonu.csr -CAcreateserial -CA ca.crt -CAkey ca.key -out sonu.crt
Now the sonu.crt is the signed version of CSR, now send the .crt file to the local system /system from where user will use kubectl command
now creating our own .kubeconfig file where we will be setting up our cluster with our own cluster name ,but we need to provide the public ip of
the master node of that cluster along with the certicficate of the certificate authority
kubectl config — kubeconfig sonu.kubeconfig set-cluster awscluster — server=https:// — — — — :6443 — certificate-authourity=ca.crt
after we are done with cluster info ,now we need to set credentials of the user that will contain the user .cert and .key file
kubectl config — kubeconfig sonu.kubeconfig set-crendentials sonuaws — client-certificate sonu.crt — client-key sonu.key
now what we need to do is , to provide which user has controle on which cluster with what resources and action that particular user can preform ,it’s the type of mapping called context in kubernetes world so now we have to set context with the details of user cerdentials and cluster information
kubectl config set-context sonuawe@awscluster — user sonuaws — cluster awscluster — kubeconfig sonu.kubeconfig
we also need to set the by default context , so when ever we set up or work on cluster with sonu.kubeconfig file it will use that context that paricular context by default
`kubectl config use-context sonuaws@awscluster — kubeconfig sonu.kubeconfig
now if we try to run “kubectl get pods — kubeconfig sonu.kubeconfig” we will get an error that says some ip problem ,and that is because during the cluster formation the cluster takes the private ip of the master node so we need to add public ip of master node to the san that is present in the apiserver.crt file in the master node of k8s cluster (openssl x509 -in apiserver.crt -text) so what we need to do is to remove the file with apiserver(rm /etc/kubernetes/pki/apiserver.*)
after we have deleted the apiserver. files we need to replace it again
kubeadm init phase certs all — apiserver-advertise-address=0.0.0.0 — apiserver-cert-extra-sans= — — — —
now if we again check apiserver.crt file by (openssl x509 -in apiserver.crt -text) we could find the ip ,after the replacement of the apiserver file we also need to delete the container as those containers are running with older apiserver configuration so we need to remove those old docker containers as the apis are running on the containers
docker rm -f `docker ps -q -f ‘name=k8s_kube-apiserver*’`
now final step restart the kubectl so that all the file and container are running with updated versions (systemctl restart kubelet)
now what if we run the kubectl get po — kubeconfig sonu.kubeconfig, shows the following error not exactly error its we need to add role and role binding
Now , what we gona do is , create role under the name space called tech instead of default (its user choise ,under which name space one need to create the role and rolebinding)
the role is created with the name called sonu-tech as seen in following img.
and then role created is binded with the user ,SONU and the name of the role binding is sonu-tech-Rb
Now , after we run the command of k8s , its working well and good
we can also change the role verbs and resources , with the help of the following command
kubeclt edit role sonu-tech -n tech
as shown in following two figures
AS i added * to both the verb ,resources and apiVersion so , its like root power but one can provide what ever actions one like to assign to some one but by default k8s provides with the least preavilage
