K
Q

Give access to single pod in kubernetes using RBAC

7/23/2020

I want to access only one pod remotely using kubectl so followed instructions mentiond here.

In order to do so, I created a access.yml file in kubernetes:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: devops-user
  namespace: default

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: devops-user-limited-access
  namespace: default
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: devops-user-view
  namespace: default
subjects:
- kind: ServiceAccount
  name: devops-user
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: devops-user-limited-access

In my remote laptop I created a file in ~/.kube/config like this:

apiVersion: v1
kind: Config
preferences: {}

# Define the cluster
clusters:
- cluster:
    certificate-authority-data: <my-ca.crt>
    # You'll need the API endpoint of your Cluster here:
    server: https://<server-ip>:6443
  name: kubernetes

# Define the user
users:
- name: devops-user
  user:
    as-user-extra: {}
    client-key-data: <my-ca.crt>
    token: <token-created-by-k8s>

# Define the context: linking a user to a cluster
contexts:
- context:
    cluster: kubernetes
    namespace: default
    user: devops-user
  name: default

# Define current context
current-context: default

Now I have "full access" to "all pods" but this is not what I want. I just want to have:

I want "full access" to only "one pod".

-- Vahid F
devops
kubernetes
rbac

Similar Questions

env vars in postgres deployment not working
GKE is built by default in Anthos solution ? Getting Anthos Metrics
using kustomize to modify nodeSelector's
How to prevent pushing Kubernetes Secrets into git repository?
How can I create a Kubernetes Secret with Ansible?

2 Answers

7/23/2020

I would suggest a different approach to solve this. You can label the pods with specific key-value and then use OPA policy engine and write policy using rego policy language which allows specific service account to do certain operation such as read, write etc on pod with that specific label.

In OPA a validating webhook will either allow or deny the request based on the policy you define.

As suggested in other answers the RBAC offered by kubernetes will not work if your pods are created by a deployment because pod names are dynamically generated in that case. Using OPA you can have more finegrain control than Kubernetes RBAC.

-- Arghya Sadhu
Source: StackOverflow
7/23/2020

just add this to your role file

resourceNames: ["POD_NAME"]

so your role yaml file should be like this

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: devops-user-limited-access
  namespace: default
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["pods", "pods/log"]
  resourceNames: ["POD_NAME"] <-------------------------------here
  verbs: ["get", "list"]
-- Dashrath Mundkar
Source: StackOverflow