{"id":1049,"date":"2021-06-01T12:51:44","date_gmt":"2021-06-01T12:51:44","guid":{"rendered":"https:\/\/blog.ngocha.biz\/?p=1049"},"modified":"2021-06-01T12:51:44","modified_gmt":"2021-06-01T12:51:44","slug":"create-kubernetes-role","status":"publish","type":"post","link":"https:\/\/blog.ngocha.biz\/?p=1049","title":{"rendered":"How to Create kubernetes Role for Service Account"},"content":{"rendered":"

In this blog, you will learn how to create Kubernetes role for a service account and use it with the pods, deployments, and cronjobs.<\/p>\n

Note: <\/strong>A role<\/code> provides API access only to resources present in a namespace. For cluster-wide API access, you should use a ClusterRole<\/code><\/p><\/blockquote>\n

Create Kubernetes Role for Service Account<\/h2>\n

Let’s consider the following scenario<\/p>\n

    \n
  1. You have deployments\/pods in a namespace called webapps<\/code><\/li>\n
  2. The deployments\/pods need Kubernetes API access to manage resources in a namespace.<\/li>\n<\/ol>\n

    The solution to the above scenarios is to have a service account with roles with specific API access.<\/p>\n

      \n
    1. Create a service account bound to the namespace webapps namespace<\/li>\n
    2. Create a role with the list of required API access to Kubernetes resoruces.<\/li>\n
    3. Create a Rolebinding to bind the role to the service account.<\/li>\n
    4. Use the service account in the pod\/deployment or Kubernetes Cronjobs<\/a><\/li>\n<\/ol>\n

      Lets implement it.<\/p>\n

      Create webapps Namespace<\/h2>\n

      For the purpose of demonstration, we will create a namespace called webapps<\/code><\/p>\n

      kubectl create namespace webapps<\/code><\/pre>\n
      Create Kubernetes Service Account<\/h2>\n
      Let’s create a service account named app-service-account<\/code> that bounds to webapps<\/code> namespace<\/p>\n
      Copy the following and execute directly on the terminal.<\/p>\n
      cat <<EOF | kubectl apply -f -\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: app-service-account\n  namespace: webapps\nEOF<\/code><\/pre>\n
      Create a Role For API Access<\/h2>\n
      In the kubernetes Role, we specify the list of API access required for Kubernetes resources.<\/p>\n
      Note:<\/strong> The following role has access to most Kubernetes resources with all read, write, list, update, patch, and delete permissions. \u00a0When you implement it in real projects, you should add only the required resources and actions to the role.<\/p><\/blockquote>\n
      Lets create a role named app-role<\/code> specific to webapps<\/code> namespace.<\/p>\n
      Copy the following and execute directly on the terminal.<\/p>\n
      cat <<EOF | kubectl apply -f -\n---\napiVersion: rbac.authorization.k8s.io\/v1\nkind: Role\nmetadata:\n  name: app-role\n  namespace: webapps\nrules:\n  - apiGroups:\n        - \"\"\n        - apps\n        - autoscaling\n        - batch\n        - extensions\n        - policy\n        - rbac.authorization.k8s.io\n    resources:\n      - pods\n      - componentstatuses\n      - configmaps\n      - daemonsets\n      - deployments\n      - events\n      - endpoints\n      - horizontalpodautoscalers\n      - ingress\n      - jobs\n      - limitranges\n      - namespaces\n      - nodes\n      - pods\n      - persistentvolumes\n      - persistentvolumeclaims\n      - resourcequotas\n      - replicasets\n      - replicationcontrollers\n      - serviceaccounts\n      - services\n    verbs: [\"get\", \"list\", \"watch\", \"create\", \"update\", \"patch\", \"delete\"]\nEOF<\/code><\/pre>\n
      Lets list the role.<\/p>\n
      kubectl get roles -n webapps<\/code><\/pre>\n
      [powerkit_posts title=”Also Read” \u00a0ids=”1836″ \u00a0image_size=”pk-thumbnail” template=”list”]<\/p>\n
      Create a Rolebinding [ Attaching Role to ServiceAccount]<\/h2>\n
      Now we have a service account and a role which has no relation.<\/p>\n
      With Rolebinding we attach the role to the service account. So the pods which use the service account in webapps<\/code> namespace will have all the access mentioned in the app-role<\/code><\/p>\n
      Copy the following and execute directly on the terminal.<\/p>\n
      cat <<EOF | kubectl apply -f -\n---\napiVersion: rbac.authorization.k8s.io\/v1\nkind: RoleBinding\nmetadata:\n  name: app-rolebinding\n  namespace: webapps \nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: Role\n  name: app-role \nsubjects:\n- namespace: webapps \n  kind: ServiceAccount\n  name: app-service-account \nEOF<\/code><\/pre>\n
      Validate Kubernetes Role Permissions<\/h2>\n
      We will use the bibinwilson\/docker-kubectl <\/code>Docker image that I have created with the kubectl utility.<\/p>\n
      Let’s deploy a pod named debug<\/code> with bibinwilson\/docker-kubectl image and our service account app-service-account<\/code>.<\/p>\n
      cat <<EOF | kubectl apply -f -\n---\napiVersion: v1\nkind: Pod\nmetadata:\n  name: debug\n  namespace: webapps\nspec:\n  containers:\n  - image: bibinwilson\/docker-kubectl:latest\n    name: kubectl\n  serviceAccountName: app-service-account\nEOF<\/code><\/pre>\n
      Lets exec<\/code> in to the debug<\/code> pod and see if has the privileges we mentioned in the role.<\/p>\n
      kubectl exec -it debug \/bin\/bash -n webapps<\/code><\/pre>\n
      Now, you should be able to list pods and other resources in webapps<\/code> namespace. You cannot list the pods in other namespaces are this role is specific to webapps<\/code> namespace.<\/p>\n
      If you deploy a pod without the service account and list the pods, you will get the following error.<\/p>\n
      Error from server (Forbidden): pods is forbidden: User \"system:serviceaccount:webapps:default\" cannot list resource \"pods\" in API group \"\" in the namespace \"webapps\"<\/code><\/pre>\n
      The default service account that gets attached to pods doesn’t have any API access to resources.<\/p>\n
      Using Service Account with Kubernetes Cronjob<\/h2>\n
      Here is an example of Kubernetes Cronjob with a service account.<\/p>\n
      apiVersion: batch\/v1beta1\nkind: CronJob\nmetadata:\n    name: kubernetes-cron-job\nspec:\n  schedule: \"0,15,30,45 * * * *\"\n  jobTemplate:\n    spec:\n      template:\n        metadata:\n          labels:\n            app: cron-batch-job\n        spec:\n          restartPolicy: OnFailure\n          serviceAccountName: app-service-account\n          containers:\n          - name: kube-cron-job\n            image: devopscube\/kubernetes-job-demo:latest\n            args: [\"100\"]<\/code><\/pre>\n
      Using Service Account With Kubernetes Deployment<\/h2>\n
      Here is an example of a Kubernetes deployment<\/a> with a service account.<\/p>\n
      apiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  name: nginx-deployment\n  labels:\n    app: nginx\nspec:\n  replicas: 3\n  selector:\n    matchLabels:\n      app: nginx\n  template:\n    metadata:\n      labels:\n        app: nginx\n    spec:\n      serviceAccountName: app-service-account\n      containers:\n      - name: nginx\n        image: nginx:1.14.2\n        ports:\n        - containerPort: 80<\/code><\/pre>\n
      Conclusion<\/h2>\n
      In this blog post, I have added all the steps required to create Kubernetes role and use it with the pod, deployment, and Cronjonbs.<\/p>\n
      There are particularly not many use cases where you need the namespace specific roles.<\/p>\n
      One main use would be for creating users with access limited to a namespace. Also, to create service accounts to have API access<\/a> to namespaces from external applications.<\/p>\n
      Let me know if you face any issues or have any questions related to Kubernetes roles.<\/p>\n
      \n
      Ngu\u1ed3n:<\/strong> How to Create kubernetes Role for Service Account \u2014 DevOpsCube<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
      Source: https:\/\/devopscube.com\/create-kubernetes-role\/<\/p>\n","protected":false},"author":0,"featured_media":1050,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1049","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts\/1049","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1049"}],"version-history":[{"count":0,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts\/1049\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/media\/1050"}],"wp:attachment":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1049"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1049"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1049"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}