K
Q

Kubernetes Role Managment with NGINX Ingress

3/20/2020

I have a Kubernetes Cluster running on Azure (AKS) with NGINX Ingress in front.

I'm a little bit confused how to seperate access on the diffrent ressources for multiple Users.

The users should work on the apps. That's why it is fine if they can read logs, descriptions and exec some commands inside of the pods. But they should never adjust some Ingress ressources.

Microsoft provide a very good tutorial how to handle cases like that on AKS: https://docs.microsoft.com/en-us/azure/aks/azure-ad-rbac

There is an example how to add permissions to a group to the whole namespace.

My Question is now, how can I add permissions for a group to specific ressources inside of a namespace.

For example I have following ressources:

ressource              type        namespace     

ingress-controller     pod         nginx-ingress
ingress-service        service     nginx-ingress
ingress-nginx          ingress     nginx-ingress
app1-service           service     nginx-ingress
app1                   pod         nginx-ingress
app2-service           service     nginx-ingress
app2                   pod         nginx-ingress

From my understanding I need to deploy all of them in the same namespace, otherwise the ingress can't forward the requests. But how I can grant read, write, execute permissions to group1 for app1 and app1-service, and read to the rest?

-- Nico Schuck
azure
kubernetes

Similar Questions

how to make intellij idea use kubernetes cluster ip when debbing in telepresence
traefik ingress with keycloak authentication on AWS EKS
Kubernetes execute command on all php-fpm pods
GKE cluster-autoscaler cannot scale up nodepool based on the nodeaffinity

2 Answers

3/20/2020

I dont think thats true at all, you can have ingress resources in different namespaces. also, you can actually refer to resource names in rbac.

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources

-- 4c74356b41
Source: StackOverflow
3/20/2020

You can specify specific resources by name in RBAC roles with the resourceNames field.

Create a Role that allows full access to app1 and app1-service:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: app1-admin
rules:
- apiGroups:
  - ""
  resourceNames:
  - app1
  - app1-service
  resources:
  - pods
  - pods/exec
  - service
  verbs:
  - get
  - list
  - watch
  - create

Create Role that allows read access to all other Pods and Services:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: read-all
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - service
  verbs:
  - get
  - list
  - watch

Create two RoleBindings that bind both of these Roles to the group1 group:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: app1-admin-group1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: app1-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: group1
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-all-group1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: read-all
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: group1

Now, members of group1 should have full access to Pod app1 and Service app1-service, but only read access to all other resources.

-- weibeld
Source: StackOverflow