K
Q

How to delete subject from cluster role binding in GKE using Cloud Shell

5/12/2020

I have created a ClusterRole:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: restricted-pods-role
rules:
- apiGroups:
  - extensions
  resources:
  - podsecuritypolicies
  resourceNames:
  - restricted-psp
  verbs:
  - use

I have given cluster-admin privileges to user account alex.pitt@xcom.net through the ClusterRoleBinding using below command:

kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user alex.pitt@xcom.net

Now I want to give the same cluster-admin privileged to dave.pot@xcom.net instead of alex.pitt@xcom.net.

How can I do it from Cloud Shell?

-- Kubespecial
google-kubernetes-engine

Similar Questions

Kubernetes ingress rules for external service
aws eks command not recognized using Jenkins pipeline
Why does Kubernetes pod Affinity not work?
How do I append my value to a list of Helm default values in Terraform's HCL?

1 Answer

5/12/2020

I want to give the same cluster-admin privileged to dave.pot@xcom.net instead of alex.pitt@xcom.net. How can I do it from Cloud Shell?

  • You can do it in a single command from cloud shell with kubectl patch. Copy the command and replace newuser@domain.com with the desired user:
kubectl patch clusterrolebinding cluster-admin-binding -p '{"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"User","name":"newuser@domain.com"}]}'
  • Or you can edit the manifest using the default text editor (usually vi) on-flight using:

kubectl edit clusterrolebinding cluster-admin-binding

One thing that I'd like to comment:

  • I noticed you created a cluster role called restricted-pods-role and on the second part you are assigning the role cluster-admin to the user, which gives full control over the cluster.

  • You made it reasonably clear in the question that this was your intention, but in case what you want to achieve is to assign the just created role to the user, the command would be:

kubectl create clusterrolebinding restricted-pods-binding --clusterrole restricted-pods-role --user someuser@domain.com
  • It's worth mentioning that a Cluster Role Binding grants the permissions defined in a ClusterRole to a user or a set of users. It holds a list of subjects (users, groups, or service accounts), so you can use the same Binding to multiple users.

Reproduction:

  • I deployed the ClusterRoleBinding as in your example:
$ k get clusterrolebinding cluster-admin-binding -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2020-05-12T14:55:14Z"
  name: cluster-admin-binding
  resourceVersion: "48399"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin-binding
  uid: 7a5055e3-e464-405c-9ed2-891eb671a948
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: alex.pitt@xcom.net
  • And applied the patch as instructed above:
$ kubectl patch clusterrolebinding cluster-admin-binding -p '{"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"User","name":"newuser@domain.com"}]}'
clusterrolebinding.rbac.authorization.k8s.io/cluster-admin-binding patched

$ k get clusterrolebinding cluster-admin-binding -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2020-05-12T14:55:14Z"
  name: cluster-admin-binding
  resourceVersion: "49703"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin-binding
  uid: 7a5055e3-e464-405c-9ed2-891eb671a948
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: newuser@domain.com

As you can see the user were replaced.

If you still have any questions regarding this procedure let me know in the comments.

-- willrof
Source: StackOverflow