Kubernetes :: One Service Account many Namespaces

RBAC Role-Based Access Control (RBAC) is an efficient and secure method to implement security in Kubernetes. Though we have Node Authorization, Attribute Based Access Control (ABAC) and others but RBAC is mostly widely used by some of the prominent helm charts prefer RBAC.

In this blog, you can follow along to create 3 namespaces in addition to ‘default’ namespace and enable respective namespace’s default service account to access any of the namespace pods from any of the pods in the same clusters. Instead of service account, user or group can be bonded to roles created for individual namespace

Prerequisites:

1. Linux or Windows host as your playground/lab
2. 8 GB RAM & 20 GB HD
3. Kubernetes cluster {minikube} with kubectl and Helm Charts
4. Docker, docker images and Virtualbox
5. Your precious time to give it a try!

Steps:

1. Create Namespaces
2. Create Pods in the respective Namespaces
3. Create Roles
4. Create RoleBindings
5. Add Service Accounts to have read access across all namespaces
6. Try and Test until it works!

Let’s kickstart to implement RBAC in Kubernetes

1. Create Namespaces

Before creating namespaces, install Kubectl, Minikube. Start Minikube single node cluster and then install Helm Charts. Please click the respective links and follow along the steps to install respective tools before proceeding further. Once all set check minikube status

debian:ben# minikube status
 ⚠️  minikube 1.3.1 is available! Download it: https://github.com/kubernetes/minikube/releases/tag/v/1.3.1
 💡  To disable this notice, run: 'minikube config set WantUpdateNotification false'
 host: Running
 kubelet: Running
 apiserver: Running
 kubectl: Correctly Configured: pointing to minikube-vm at 10.0.2.15

debian:ben# kubectl create namespace alpha
debian:ben# kubectl create namespace beta
debian:ben# kubectl create namespace cuda
debian:ben# kubectl get namespace
NAME              STATUS   AGE
alpha             Active   15d
backup            Active   3d
beta              Active   15d
cuda              Active   15d
default           Active   16d
kube-node-lease   Active   15d
kube-public       Active   16d
kube-system       Active   16d
debian:ben#

2. Create Pods in the respective Namespaces

I’ve used Alpine Linux container image available at my docker hub repo. Also, using helm charts Postgresql pod added to each namespace created above. Manifest YAML file alpine_pod.yml and commands are as under

apiVersion: v1                   
kind: Pod                        
metadata:                        
  name: alpine-client1           
spec:                            
  containers:                    
  - name: alpine-client1         
    image: babvin/alpine_client  
    imagePullPolicy: IfNotPresent

# Create pods in Default namespace
kubectl apply -f alpine_pod.yml
helm install stable/postgresql 

# Create pods in Alpha namespace
kubectl apply -f alpine_pod.yml -n alpha
helm install stable/postgresql --namespace alpha

# Create pods in Default namespace
kubectl apply -f alpine_pod.yml -n beta
helm install stable/postgresql --namespace beta

# Create pods in Default namespace
kubectl apply -f alpine_pod.yml -n cuda 
helm install stable/postgresql --namespace cuda

# List pods created using above commands
debian:alpine# kubectl get pods -A -o name
pod/alpha-postgresql-0
pod/alpine-client1
pod/beta-postgresql-0
pod/alpine-client1
pod/cuda-postgresql-0
pod/alpine-client
pod/alpine-client1
pod/batch-every-twelve-hours-1567083420-2dwbm
pod/batch-every-twelve-hours-1567083480-b48jt
pod/batch-every-twelve-hours-1567083540-x7vfn
pod/eating-clam-postgresql-0
pod/coredns-5c98db65d4-dsh54
pod/coredns-5c98db65d4-zn4c4
pod/etcd-minikube
pod/heapster-l6p59
pod/influxdb-grafana-m9vvx
pod/kube-addon-manager-minikube
pod/kube-apiserver-minikube
pod/kube-controller-manager-minikube
pod/kube-proxy-snvc7
pod/kube-scheduler-minikube
pod/kubernetes-dashboard-7b8ddcb5d6-8gz9g
pod/logviewer-8664c4bdcd-w5vh5
pod/storage-provisioner
pod/tiller-deploy-75f6c87b87-6pcnb
debian:alpine#

3. Create Roles

RBAC uses the rbac.authorization.k8s.io API group to drive authorization decisions, allowing admins to dynamically configure policies through the Kubernetes API. Based on below 5 elements RBAC is designed to effective implement security best practices

1. Roles: Define permissions for each Kubernetes resources like pods, services, namespaces etc
2. RoleBindings: Bind role created to user and groups defined under subjects
3. Subjects: Users, groups and service accounts which are bind to the roles using rolebindings
4. Clusterroles: Used to grant access to any particular or across all namespaces based on how we configure
5. Clusterrolebindings: Similar to Rolesbindings, but for a Cluster wide access for the subjects.

Here is the yaml file to create roles for all the namespaces that we have created above. Kubernetes resources namely namespaces, pods and services and jobs are selected with read only access.

debian:alpine# cat example.yml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: example-role
rules:
- apiGroups: [""]
  resources: ["namespaces", "pods", "services", "jobs"]
  verbs: ["get", "watch", "list"]

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: alpha
  name: example-role
rules:
- apiGroups: [""]
  resources: ["namespaces", "pods", "services", "jobs"]
  verbs: ["get", "watch", "list"]
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: beta
  name: example-role
rules:
- apiGroups: [""]
  resources: ["namespaces", "pods", "services", "jobs"]
  verbs: ["get", "watch", "list"]
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: cuda
  name: example-role
rules:
- apiGroups: [""]
  resources: ["namespaces", "pods", "services", "jobs"]
  verbs: ["get", "watch", "list"]
debian:alpine#

4. Create RoleBindings

Use below yaml file to create rolebindings for the above roles. Key part to observe is that the subjects section has arrays of service accounts group from different namespaces which is the main configuration to allow criss-cross access to different namespaces. If there is a better way to do this please let me know…

debian:alpine# cat ex.binding.yml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: example-rolebinding
  namespace: alpha
subjects:
- kind: Group
  name: system:serviceaccounts
  apiGroup: rbac.authorization.k8s.io
  namespace: alpha
- kind: Group
  name: system:serviceaccounts
  apiGroup: rbac.authorization.k8s.io
  namespace: beta
- kind: Group
  name: system:serviceaccounts
  apiGroup: rbac.authorization.k8s.io
  namespace: cuda
- kind: Group
  name: system:serviceaccounts
  apiGroup: rbac.authorization.k8s.io
  namespace: default
roleRef:
  kind: Role
  name: example-role
  apiGroup: rbac.authorization.k8s.io
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: example-rolebinding
  namespace: beta
subjects:
- kind: Group
  name: system:serviceaccounts
  apiGroup: rbac.authorization.k8s.io
  namespace: beta
- kind: Group
  name: system:serviceaccounts
  apiGroup: rbac.authorization.k8s.io
  namespace: alpha
- kind: Group
  name: system:serviceaccounts
  namespace: cuda
- kind: Group
  name: system:serviceaccounts
  namespace: default
roleRef:
  kind: Role
  name: example-role
  apiGroup: rbac.authorization.k8s.io
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: example-rolebinding
  namespace: cuda
subjects:
- kind: Group
  name: system:serviceaccounts
  apiGroup: rbac.authorization.k8s.io
  namespace: beta
- kind: Group
  name: system:serviceaccounts
  apiGroup: rbac.authorization.k8s.io
  namespace: alpha
- kind: Group
  name: system:serviceaccounts
  namespace: cuda
- kind: Group
  name: system:serviceaccounts
  namespace: default
roleRef:
  kind: Role
  name: example-role
  apiGroup: rbac.authorization.k8s.io
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: example-rolebinding
  namespace: default
subjects:
- kind: Group
  name: system:serviceaccounts
  apiGroup: rbac.authorization.k8s.io
  namespace: beta
- kind: Group
  name: system:serviceaccounts
  apiGroup: rbac.authorization.k8s.io
  namespace: alpha
- kind: Group
  name: system:serviceaccounts
  namespace: cuda
- kind: Group
  name: system:serviceaccounts
  namespace: default
roleRef:
  kind: Role
  name: example-role
  apiGroup: rbac.authorization.k8s.io
debian:alpine#

5. Add Service Accounts to have read access across all namespaces

# Create roles – kubectl apply -f roles.yml

# Create rolebindings – kubectl apply -f rolebindings.yml

# Ouptut of role and rolebindings creation

debian:alpine# kubectl get roles -A                                    
NAMESPACE     NAME                                             AGE     
alpha         example-role                                     3h31m   
beta          example-role                                     148m    
cuda          example-role                                     148m    
default       example-role                                     11h     
default       pod-reader                                       11h     
kube-public   kubeadm:bootstrap-signer-clusterinfo             16d     
kube-public   system:controller:bootstrap-signer               16d     
kube-system   extension-apiserver-authentication-reader        16d     
kube-system   kube-proxy                                       16d     
kube-system   kubeadm:kubelet-config-1.15                      16d     
kube-system   kubeadm:nodes-kubeadm-config                     16d     
kube-system   system::leader-locking-kube-controller-manager   16d     
kube-system   system::leader-locking-kube-scheduler            16d     
kube-system   system:controller:bootstrap-signer               16d     
kube-system   system:controller:cloud-provider                 16d     
kube-system   system:controller:token-cleaner                  16d     

debian:alpine# kubectl get rolebindings -A                             
NAMESPACE     NAME                                                AGE  
alpha         example-rolebinding                                 3h30m
beta          example-rolebinding                                 159m 
cuda          example-rolebinding                                 159m 
default       example-rolebinding                                 11h  
default       test-foo                                            11h  
kube-public   kubeadm:bootstrap-signer-clusterinfo                16d  
kube-public   system:controller:bootstrap-signer                  16d  
kube-system   kube-proxy                                          16d  
kube-system   kubeadm:kubelet-config-1.15                         16d  
kube-system   kubeadm:nodes-kubeadm-config                        16d  
kube-system   system::extension-apiserver-authentication-reader   16d  
kube-system   system::leader-locking-kube-controller-manager      16d  
kube-system   system::leader-locking-kube-scheduler               16d  
kube-system   system:controller:bootstrap-signer                  16d  
kube-system   system:controller:cloud-provider                    16d  
kube-system   system:controller:token-cleaner                     16d  
debian:alpine#                                                         

6. Try and Test until it works!

One of the ways to confirm whether service accounts can talk to pods inside the different namespaces is by Curling Kubernetes API calls. Here is the curl command. Token key is important to authenticate which is auto-generated during the pod creation. Please note below command is one line and execute by removing new lines.

curl -ik -H "Authorization: Bearer $(cat/var/run/secrets/kubernetes.io/serviceaccount/token)"    https://kubernetes.default.svc.cluster.local/api/v1/namespaces/default/pods

# Output:

kubectl -n cuda exec -it alpine-client1 -- bash

bash-5.0# printenv
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_SERVICE_PORT=443
CUDA_POSTGRESQL_PORT_5432_TCP_PROTO=tcp
HOSTNAME=alpine-client1
CUDA_POSTGRESQL_PORT_5432_TCP_PORT=5432
PWD=/client
CUDA_POSTGRESQL_PORT_5432_TCP_ADDR=10.109.178.227
HOME=/root
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
CUDA_POSTGRESQL_SERVICE_HOST=10.109.178.227
CUDA_POSTGRESQL_PORT=tcp://10.109.178.227:5432
CUDA_POSTGRESQL_PORT_5432_TCP=tcp://10.109.178.227:5432
CUDA_POSTGRESQL_SERVICE_PORT_POSTGRESQL=5432
TERM=xterm
SHLVL=1
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PORT=443
CUDA_POSTGRESQL_SERVICE_PORT=5432
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
_=/bin/printenv

bash-5.0# curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default.svc.cluster.local/api/v1/namespaces/default/pods
  "kind": "PodList",
  "apiVersion": "v1",
  "metadata": {
    "selfLink": "/api/v1/namespaces/default/pods",
    "resourceVersion": "344123"
  },
  "items": [
    {
      "metadata": {
        "name": "alpine-client",
        "namespace": "default",
        "selfLink": "/api/v1/namespaces/default/pods/alpine-client",
        "uid": "a4b3ffe0-06a8-4344-b284-bfea61b57278",
        "resourceVersion": "296784",
        "creationTimestamp": "2019-08-29T07:35:49Z",
        "annotations": {
          "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"alpine-client\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"babvin/alpine_client\",\"imagePullPolicy\":\"IfNotPresent\",\"name\":\"alpine-client\"}]}}\n"
        }
      },
      "spec": {
        "volumes": [
          {
            "name": "default-token-sctd7",
            "secret": {
              "secretName": "default-token-sctd7",
              "defaultMode": 420
            }
          }
        ],
        "containers": [
          {
            "name": "alpine-client",
            "image": "babvin/alpine_client",
            "resources": {

            },

::: Output truncated :::

In the above output, I’ve logged into an alpine pod of cuda namespace but curl command was executed on ‘default’ namespace which showed the JSON formatted output listing out all the details of default namespace pods.

Hurray!! we now have a fully working RBAC access controlled Kubernetes LAB with multiple namespaces. Feel free to try out adding users and groups and let me know if you’re stuck…

Thanks for stopping by my blog. Your feedback is most important to me, please share by commenting below. You can also follow on Twitter – @babvin or email me vb@vinaybabu.in

References

https://kubernetes.io/docs/reference/access-authn-authz/rbac/

https://stackoverflow.com/questions/55591721/grant-kubernetes-service-account-privileges-to-get-pods-from-all-namespaces

https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/

https://stackoverflow.com/questions/42642170/how-to-run-kubectl-commands-inside-a-container

Image Credits: https://www.innovativesys.com

Advertisement

Kubernetes: Python script show containers

This blog is about a Python script which is based on Kubectl commands to display containers of each pod in a Kubernetes (k8s) cluster. AFAIK, there is no direct or simpler command to show the list of containers only.

There was a request to automate backups of all Postgres DB across all namespaces in the prod k8s clusters. I was very new to k8s and eager to learn how this stuff works. Then I was introduced to Minikube by Burr Sutter @burrsutter (burrsutter.com) who is a Java Champion and a true believer of Open Source, Community and developers. I dedicate this blog to Burr Sutter for his great work on imparting his knowledge and wisdom on K8s. I would recommend my followers and readers to go through this course who want to have deeper understanding of k8s and cloud native application development.

Coming back to the this simple Python script… This would go through each namepaces and pods to list all the containers in them. In this script, containers having word postgre is shown by matching the regex. Similarly it can be further customized according to the requirements.

#!/usr/bin/env python

from subprocess import Popen, PIPE
from re import search


def runcmd(list1):
    try:
        process = Popen(list1, stdout=PIPE, stderr=PIPE)
        stdout, stderr = process.communicate()
        return(stdout)
    except Exception as err:
        print("Error occured")
        return (stderr)


ns_cmd = ['sudo', 'kubectl', 'get', 'namespaces',
          '-o', 'jsonpath={.items[*].metadata.name}']

check = 'postgre' # Replace this with the search string
postgres = []
ns = runcmd(ns_cmd)
namespaces = ns.split()
print("namespace     >>       pod       >>     p_container")
for namespace in namespaces:
    p_cmd = ['sudo', 'kubectl', 'get', 'pods', '-n',
             namespace, '-o', 'jsonpath={.items[*].metadata.name}']

    # print(p_cmd)
    p = runcmd(p_cmd)
    # print(c)
    pods = p.split()
    for pod in pods:
        c_cmd = ['sudo', 'kubectl', 'get', 'pods', pod, '-n',
                 namespace, '-o', 'jsonpath={.spec.containers[*].name}']
        c = runcmd(c_cmd)

        containers = c.split()
        if containers:
            p_containers = [x for x in containers if search(check, x)]
            if p_containers:
                for p_container in p_containers:

                    print(namespace + ' >> ' + pod + ' >> ' + p_container)

OUTPUT:

debian:ben# minikube start --vm-driver=none --memory=3000mb --cpus=2
 ⚠️  minikube 1.3.1 is available! Download it: https://github.com/kubernetes/minikube/releases/tag/v/1.3.1
 💡  To disable this notice, run: 'minikube config set WantUpdateNotification false'
 😄  minikube v1.3.0 on Debian bullseye/sid (vbox/amd64)
 💡  Tip: Use 'minikube start -p ' to create a new cluster, or 'minikube delete' to delete this one.
 🔄  Starting existing none VM for "minikube" …
 ⌛  Waiting for the host to be provisioned …
 🐳  Preparing Kubernetes v1.15.2 on Docker 19.03.1 …
 🔄  Relaunching Kubernetes using kubeadm … 
 ⌛  Waiting for: apiserver proxy etcd scheduler controller dns
 🏄  Done! kubectl is now configured to use "minikube"

debian:ben# python list.py 
 namespace     >>       pod       >>     p_container
 alpha >> alpha-postgresql-0 >> alpha-postgresql
 beta >> beta-postgresql-0 >> beta-postgresql
 cuda >> cuda-postgresql-0 >> cuda-postgresql
 delta >> delta-postgresql-0 >> delta-postgresql

In the above output, minikube with single k8s cluster was started. I’ve created four namespaces viz alpha, beta, cuda and delta. In these namespaces created pods having postgresql containers. After running the above script we can see the simple and easy to read list of containers of each namespaces and pods.

I’ve further extended the logic to take backup of PostgreSQL with EMC Networker and DataDomain. Please reach out to me if you need the complete script.

Final words… for the new entrants into the k8s world, I would recommend you to read the blog YAML fundamentals for Kubernetes by Samrat Sen. In his first blog, he’s done a great job by explaining YAML in the most simplest way.