• Create 2 definition files, role and role binding.

  • kubectl get roles
  • kubectl get rolebindings
  • kubectl describe role <role-name>
  • kubectl auth can-i delete pod
  • kubectl auth can-i create pods --as dev-user

ClusterRole & ClusterRoleBinding

  • For cluster scoped resources

  • We can use this for namespced resources as well to grant user access for pods over all namespaces

Service Accounts

  • Can be used by an application to comunicate with kubernetes cluster. eg [Prometheus, Jenkins]

  • kubectl create serviceaccount <service-account-name>
  • kubectl get serviceaccount
  • Add custom service account name using serviceAccountName: <name> in pod definition file.

  • K8s automatically mounts service accounts on pods, we can choose not to using automountServiceAccountToken: false in pod definition file.

  • We gt token that can be decoded and used to call kube-apiserer

    kubectl exec -it <name of pod> ls /service/account/token/location
  • With newer version it no longer creates automatic token for service account. To create token:

    kubectl create token <service-account>

Image Security:

  • We can pass private repository name as it is in the image section of pod definition

  • To authenticate for private images we need secret named docker-registry

  • kubectl create secret docker-registry regcred \
  • In pod definition link this secret as follows undere spec section with containers.

  - name: regcred

Last updated