This workshop has been deprecated and archived. The new Amazon EKS Workshop is now available at www.eksworkshop.com.
You can refer to intro to RBAC module to understand the basic of Kubernetes RBAC.
kubectl create namespace integration
kubectl create namespace development
We create a kubernetes role
and rolebinding
in the development namespace giving full access to the kubernetes user dev-user
cat << EOF | kubectl apply -f - -n development
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dev-role
rules:
- apiGroups:
- ""
- "apps"
- "batch"
- "extensions"
resources:
- "configmaps"
- "cronjobs"
- "deployments"
- "events"
- "ingresses"
- "jobs"
- "pods"
- "pods/attach"
- "pods/exec"
- "pods/log"
- "pods/portforward"
- "secrets"
- "services"
verbs:
- "create"
- "delete"
- "describe"
- "get"
- "list"
- "patch"
- "update"
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dev-role-binding
subjects:
- kind: User
name: dev-user
roleRef:
kind: Role
name: dev-role
apiGroup: rbac.authorization.k8s.io
EOF
The role we define will give full access to everything in that namespace. It is a Role, and not a ClusterRole, so it is going to be applied only in the development namespace.
feel free to adapt or duplicate to any namespace you prefer.
We create a kubernetes role
and rolebinding
in the integration namespace for full access with the kubernetes user integ-user
cat << EOF | kubectl apply -f - -n integration
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: integ-role
rules:
- apiGroups:
- ""
- "apps"
- "batch"
- "extensions"
resources:
- "configmaps"
- "cronjobs"
- "deployments"
- "events"
- "ingresses"
- "jobs"
- "pods"
- "pods/attach"
- "pods/exec"
- "pods/log"
- "pods/portforward"
- "secrets"
- "services"
verbs:
- "create"
- "delete"
- "describe"
- "get"
- "list"
- "patch"
- "update"
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: integ-role-binding
subjects:
- kind: User
name: integ-user
roleRef:
kind: Role
name: integ-role
apiGroup: rbac.authorization.k8s.io
EOF
The role we define will give full access to everything in that namespace. It is a Role
, and not a ClusterRole
, so it is going to be applied only in the integration namespace.