Saturday, November 09, 2019

How to Segregate Applications in Kubernetes Cluster without Compromise Cluster-Admin Role

Requirement:

   In enterprise world, we often have a few applications running on same Kubernete cluster. Each application owners would like to operate actions on his own applications without interfering other applications.  We would not like to grant cluster-admin to application owners for security reasons. Meanwhile application owner would have fully privilege in their own application scope.
This is for Oracle DBA to better understand how Kubernetes RBAC works. They both have similar RBAC concepts

Oracle DatabaseKubernetes
dba rolecluster-admin role
grant dba rolegrant cluster-admin role
create apps-user role to access tablespace example onlycreate apps-user role to access namespace example only
create apps-usercreate apps-user or service account
grant apps-user role to apps-userrole-binding apps-user role to apps-user
apps-users work happily in tablespace exampleapps-users work happily in namespace example

Solution:

  • Create namespace for each application
kubectl create namespace  test-apps-ns
  • Cluster admin create  role, serviceaccount, rolebinding for each application . Below is an example yaml file
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace:  test-apps-ns
  name: test-role
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: oke-test-user
  namespace:  test-apps-ns
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace:  test-apps-ns
  name: test-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: test-role
subjects:
- kind: ServiceAccount
  name: oke-test-user
  namespace:  test-apps-ns

No comments: