IE retrospectiveResearch • Kube User Authorization

Kube User Authorization 🚭

What is the best way we can add users to the kube system, or "kube", with limited authorizations? The kube currently contains two types of user, explored with $ kubectl get rolebindings,

  1. Users with "view" ClusterRoles are permitted to view everything.
  2. Users with "admin" ClusterRoles are permitted to all things.

Before looking at new roles consider this message from a kubernetes discussion group member, "user management tends to get complicated quickly." Services like https://rancher.com/ exist for this reason and so a caution to keep things simple.


Authentication

User authentication is currently handled with kube-generated certificates. note that authentication differs from authorization. A user name is embedded in a certificate and, basically, when a kube command is given with that certificate, the command is identified with that certificate's user. A downside of certificates is that they can't be revoked and must expire instead. Certificate authentication is probably OK for now.

Certificates are described here and a step-by-step for generating user certificates like the ones we use is here, at "Use case 1".


Authorization Things


Goal

"Jennifer" needs to create, update and delete social-profile resources. She doesn't need access to the rest of the kube for things like deleting resources in the "database" namespace or creating new clusterroles. There are many ways to organize this but the suggestion here boils down to the following,

  1. create a "social-profile" namespace,
  2. add resources to the social-profile namespace,
  3. create a role with broad permissions to resources in the social-profile namespace,
  4. bind the role to the Jennifer user

Having separated permissions, we give ourselves the ability to see and change details for specific users quickly. Surprisingly, Kube does not provide a way to practically list users or to view all Roles bound to a user. With this short-coming, how can we manage Users and Roles?

Note: Kube can be used to list Roles and RoleBindings, and those can be inspected individually to find user names, but doing this manually is slow and error prone.


Solution

An easy solution is use in-house naming-conventions not enforced by kube.

Use namespace-specific Roles and embed the namespace and role in the Role name. For example, social-profile:developer or social-profile:admin. When listing Roles, kube will group social-profile: roles together to compactly show roles available to that namespace. Furthermore, we can create, modify and delete these roles without affecting other namespaces :),

social-profile:developer

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: social-profile:developer
rules:
- apiGroups: [""]
  resources:
  - pod
  - service
  - deployment
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch

Use user-specific RoleBindings and embed the username and role name in the RoleBinding name. For example, jennifer@iconicengine.com:social-profile:developer. When listing RoleBindings, kube will list the jennifer@iconicengine.com:role bindings together showing all roles bound to that user. Listing these RoleBindings will also list the names of all users that have role bindings. We can create, modify and delete these rolebindings without affecting other users,

jennifer@iconicengine.com:social-profile:developer

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: jennifer@iconicengine.com:social-profile:developer
  namespace: social-profile
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: social-profile:developer
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: jennifer@iconicengine.com

Following these conventions would allow us to create and delete users and roles without breaking things and quickly list users and namespace-roles. For example, these commands would be possible,

$ kubectl get clusterroles
NAME                         AGE
admin                        2y356d
social-profile:developer     20d
social-profile:admin         20d
venom-api:developer          20d
venom-api:deployment         20d
venom-api:admin              20d

$ kubectl get rolebindings
NAME                                               AGE
cdepauw@iconicengine.com:social-profile:admin      20d
cdepauw@iconicengine.com:venom-api:admin           20d
jennifer@iconicengine.com:social-profile:developer    33d
jennifer@iconicengine.com:venom-api:deployment        33d
jennifer@iconicengine.com:venom-api:developer         34d

$ kubectl get rolebindings | grep cdepauw
cdepauw@iconicengine.com:social-profile:admin      20d
cdepauw@iconicengine.com:venom-api:admin           20d