K
Q

Controlling application access to different namespace using RBAC in kubernetes

4/18/2020

I am trying to find our the minimum privileges required for application to communicate in kubernetes for the below scenarios

  1. App1 is in namespace 1 and app2 is in namespace 2
  2. App1 is in cluster 1 anf app2 is in cluster 2

I have deployed an sample application in my cluster (https://github.com/kubernetes/kubernetes/tree/release-1.2/examples/guestbook) in two different namespaces

However tough I associate these applications with service account have no privileges in respective namespaces , my php application is still able to reach redis application. I was expecting it to throw an error , how are my applications functioning even after giving my service account no roles

Below is the role i associated with my service account

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
 name: no-access-cr
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: [""] 
  verbs: [""]

Kindly assist!!!

-- sai prashanth
azure-kubernetes
google-kubernetes-engine
kubernetes
kubernetes-pod

Similar Questions

what is use of Koustomize.yaml?
Not able to connect to Neo4j cluster from other services in Kubernetes Cluster
how to limit Apache Flink task manager log size
helm double quote annotations value

1 Answer

4/20/2020

RBAC policies that you're applying to applications have nothing to do with networking (L3/L4) itself. They are related to L7 access to k8s APIs (kube-api server) and therefore access to k8s objects exposed via these APIs.

If you want to restrict access between the apps on networking level (L3/L4) you need to apply network policies Also depending on network plugin e.g. calico policies can be used.

-- Anton Matsiuk
Source: StackOverflow