Request pipeline
Authentication (who?) → Authorization/RBAC (allowed?) → Admission (valid/mutate?)
Kubeconfig
$HOME/.kube/config: clusters, users, contexts- Context = cluster + user + optional namespace
KUBECONFIG: merge multiple files
kubectl config view
kubectl config current-context
kubectl config use-context <name>
kubectl config set-context --current --namespace=<ns>
kubectl config set-credentials myuser --client-key=k --client-certificate=c --embed-certs=true
RBAC primitives
| Primitive | Scope |
|---|
| Role | Namespace |
| RoleBinding | Namespace |
| ClusterRole | Cluster |
| ClusterRoleBinding | Cluster |
- Subject: user, group, ServiceAccount
- Verb: get, list, watch, create, update, patch, delete
- Core resources:
apiGroups: [""]: Deployments: apiGroups: [apps]
Built-in ClusterRoles
cluster-admin: all namespacesadmin: full NS access incl. RBACedit: read/write NS (no RBAC objects)view: read-only (no Secrets)
Create RBAC
kubectl create role read-only --verb=list,get,watch --resource=pods,services
kubectl create rolebinding read-only-binding --role=read-only --user=bmuschko
kubectl create clusterrole ... / kubectl create clusterrolebinding ...
kubectl auth can-i list pods --as=system:serviceaccount:default:my-sa
kubectl auth can-i create deployments --namespace=dev
ServiceAccount pattern
kubectl create sa app-sa -n prod
kubectl create role app-reader --verb=get,list --resource=pods -n prod
kubectl create rolebinding app-reader-binding \
--role=app-reader \
--serviceaccount=prod:app-sa \
-n prod
kubectl auth can-i get pods --as=system:serviceaccount:prod:app-sa -n prod
kubectl auth can-i delete pods --as=system:serviceaccount:prod:app-sa -n prod
RBAC decision table
| Need | Use |
|---|
| Resource access in one namespace | Role + RoleBinding |
| Multiple resource types in one namespace | Role with multiple rules |
| Same resource access across all namespaces | ClusterRole + ClusterRoleBinding |
| Bind cluster role into one namespace only | ClusterRole + RoleBinding |
Special resources
| Capability | Resource |
|---|
| Pod logs | pods/log |
| Pod exec | pods/exec |
| Port-forward | pods/portforward |
| Deployments | deployments with apiGroups: [apps] |
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: read-only
rules:
- apiGroups: [""]
resources: [pods, services]
verbs: [list, get, watch]
- apiGroups: [apps]
resources: [deployments]
verbs: [list, get, watch]
ServiceAccounts
- Auto-created per namespace (
default in default) - Pod:
spec.serviceAccountName (defaults to default) - Token mounted at
/var/run/secrets/kubernetes.io/serviceaccount/token automountServiceAccountToken: false to disable
kubectl create serviceaccount my-sa
kubectl create rolebinding sa-binding --role=edit --serviceaccount=default:my-sa
Debug permission denied
kubectl get sa <sa> -n <ns>
kubectl get rolebinding -n <ns> -o wide
kubectl describe rolebinding <binding> -n <ns>
kubectl get role <role> -n <ns> -o yaml
kubectl auth can-i <verb> <resource> --as=system:serviceaccount:<ns>:<sa> -n <ns>
Admission control
- Validating: reject bad requests (policy, quotas)
- Mutating: modify request (e.g. inject sidecar)
- Examples:
NamespaceLifecycle, ResourceQuota, PodSecurity
Failures
| Symptom | Cause |
|---|
| API denied | SA missing RoleBinding / wrong verbs |
Exam tips
- Deployments need separate rule with
apiGroups: [apps] - RoleBinding references Role name in same namespace
- ClusterRoleBinding for cluster-wide or non-namespaced resources
- Exam: always verify context/namespace first
- Debug:
kubectl auth can-i get pods (add --as=system:serviceaccount:ns:sa) - Create SA before binding it; a RoleBinding can reference a non-existent SA and still create
--serviceaccount=<ns>:<name> is not the same as the --as identity string