I am playing around with Minikube and I created a test user with certificates (mueller). He has set the CN of his certificate to mueller and the O to development.
Here is my role:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: development
name: read-development-pods
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]and my rolebinding:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-development-pods-rb
namespace: development
subjects:
- kind: User
name: mueller
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: read-development-pods
apiGroup: rbac.authorization.k8s.ioAlso I got my certificates set to the kubeconfig. The rules work fine.
Now my question is, can I get rid of my rolebinding, because having a rolebinding for each user is not very comfortable and I think I read somewhere that Kubernetes is able to use the O-field of the users certificate to automatically bind to the roles that are written in that field.
Whenever you've successfully confirmed entity object within one of K8s Authentication strategies in Kubernetes API, typical request may consists of some attribute properties which defines a way how the cluster visitor can be authorized through one of the specific modules.
As per official Kubernetes documentation:
As of Kubernetes 1.4, client certificates can also indicate a user’s group memberships using the certificate’s organization fields. To include multiple group memberships for a user, include multiple organization fields in the certificate.
For example, using the openssl command line tool to generate a certificate signing request:
openssl req -new -key jbeda.pem -out jbeda-csr.pem -subj "/CN=jbeda/O=app1/O=app2"