Kubernetes provides robust mechanisms for managing authorization through its command-line interface, kubectl. This guide focuses on using the `kubectl auth` command to handle authorization within Kubernetes clusters.
1. Viewing ClusterRoles:
To list all ClusterRoles in the cluster, use: kubectl auth list clusterroles
This command displays a list of all ClusterRoles configured in the cluster, along with their details.
Verification: Verify by checking the list output for ClusterRoles defined in your cluster.
2. Checking RoleBindings:
To check RoleBindings for a specific namespace: kubectl auth list rolebindings --namespace=default
This command lists all RoleBindings in the ‘default’ namespace, showing which roles are bound to which subjects (users or groups).
Verification: Ensure that the RoleBindings listed match the expected bindings for the namespace.
3. Describing ServiceAccounts:
To describe a specific ServiceAccount and its associated secrets: kubectl auth describe serviceaccount my-serviceaccount
This command provides detailed information about the ‘my-serviceaccount’ ServiceAccount, including its tokens and associated secrets.
Verification: Check the description output to confirm details like tokens and secrets associated with the ServiceAccount.
4. Creating ClusterRoleBindings:
To create a ClusterRoleBinding for a user: kubectl auth create clusterrolebinding my-binding --clusterrole=admin --user=myuser
This command binds the ‘admin’ ClusterRole to the ‘myuser’ user across the entire cluster.
Verification: Verify the successful creation of the binding by listing ClusterRoleBindings.
5. Removing RoleBindings:
To remove a RoleBinding from a specific namespace: kubectl auth delete rolebinding my-rolebinding --namespace=default
This command deletes the ‘my-rolebinding’ RoleBinding from the ‘default’ namespace.
Verification: Confirm the removal by checking that the RoleBinding no longer exists in the namespace.
6. Configuring ServiceAccount Tokens:
To configure automatic token expiration for ServiceAccounts: kubectl auth reconcile serviceaccounts --expire-after=720h
This command sets tokens for ServiceAccounts to expire after 720 hours (30 days), enhancing security.
Verification: Check the ServiceAccount tokens to ensure they reflect the updated expiration policy.
7. Managing RoleBindings with JSON:
To apply a RoleBinding defined in a JSON file: kubectl auth apply -f rolebinding.json
This command applies the RoleBinding configuration defined in ‘rolebinding.json’ to the cluster.
Verification: Validate the application by listing the RoleBindings to see the newly applied configuration.
8. Checking Node Authorizers:
To list all Node authorizers in the cluster: kubectl auth list nodeauthorizers
This command displays a list of all Node authorizers configured in the cluster.
Verification: Verify the list output for the presence and configuration details of Node authorizers.
9. Verifying Pod Security Policies:
To verify Pod Security Policies applied to a namespace: kubectl auth can-i use podsecuritypolicy --namespace=default
This command checks if the current user can use Pod Security Policies in the ‘default’ namespace.
Verification: Confirm the result to ensure the user has the necessary permissions as expected.
10. Listing Subject Access Reviews:
To list Subject Access Reviews (SARs) for a specific user: kubectl auth list subjectaccessreviews --user=myuser
This command lists all SARs for the ‘myuser’ user, detailing their access reviews.
Verification: Check the list output to review the access details for the specified user.
Also check similar articles.
Copy Files to and from Kubernetes Containers with kubectl cp
Running a Kubernetes API Proxy with kubectl proxy
Port Forwarding in Kubernetes with kubectl port-forward
Execute Commands in Kubernetes Pods with kubectl exec
Attach to Running Containers with kubectl attach
Discussion about this post