Slides for 20241113

Author: nicholasdille

120_kubernetes/rbac/aggregation.runme.md

@@ -0,0 +1,69 @@
+# Aggregated ClusterRoles
+
+Inspect individual ClusterRoles
+
+```sh
+kubectl get clusterrole -l rbac.authorization.k8s.io/aggregate-to-view=true
+```
+
+Create first ClusterRole
+
+```sh
+cat <<EOF | kubectl apply -f -
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: monitoring-endpoints
+  labels:
+    aggregate-to-monitoring: "true"
+rules:
+- apiGroups: [""]
+  resources: ["services", "endpointslices", "pods"]
+  verbs: ["get", "list", "watch"]
+EOF
+```
+
+Create second ClusterRole
+
+```sh
+cat <<EOF | kubectl apply -f -
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: monitoring-deployments
+  labels:
+    aggregate-to-monitoring: "true"
+rules:
+- apiGroups: ["apps"]
+  resources: ["deployments"]
+  verbs: ["get", "list", "watch"]
+EOF
+```
+
+Display new ClusterRoles
+
+```sh
+kubectl get clusterrole -l aggregate-to-monitoring=true
+```
+
+Create receiving ClusterRole
+
+```sh
+cat <<EOF | kubectl apply -f -
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: monitoring
+aggregationRule:
+  clusterRoleSelectors:
+  - matchLabels:
+      aggregate-to-monitoring: "true"
+rules: []
+EOF
+```
+
+Show aggregated ClusterRole
+
+```sh
+kubectl get clusterrole monitoring -o yaml
+```

120_kubernetes/rbac/author.md

@@ -18,6 +18,36 @@ Find supported resources:
 kubectl api-resources
 ```
 
+--
+
+```plaintext
+NAME                      APIVERSION                    NAMESPACED  KIND
+configmaps                v1                            true        ConfigMap
+endpoints                 v1                            true        Endpoints
+namespaces                v1                            false       Namespace
+nodes                     v1                            false       Node
+persistentvolumeclaims    v1                            true        PersistentVolumeClaim
+persistentvolumes         v1                            false       PersistentVolume
+pods                      v1                            true        Pod
+secrets                   v1                            true        Secret
+serviceaccounts           v1                            true        ServiceAccount
+services                  v1                            true        Service
+daemonsets                apps/v1                       true        DaemonSet
+deployments               apps/v1                       true        Deployment
+replicasets               apps/v1                       true        ReplicaSet
+statefulsets              apps/v1                       true        StatefulSet
+horizontalpodautoscalers  autoscaling/v2                true        HorizontalPodAutoscaler
+cronjobs                  batch/v1                      true        CronJob
+jobs                      batch/v1                      true        Job
+endpointslices            discovery.k8s.io/v1           true        EndpointSlice
+ingresses                 networking.k8s.io/v1          true        Ingress
+poddisruptionbudgets      policy/v1                     true        PodDisruptionBudget
+clusterrolebindings       rbac.authorization.k8s.io/v1  false       ClusterRoleBinding
+clusterroles              rbac.authorization.k8s.io/v1  false       ClusterRole
+rolebindings              rbac.authorization.k8s.io/v1  true        RoleBinding
+roles                     rbac.authorization.k8s.io/v1  true        Role
+```
+
 ---
 
 ## How to write roles 2/
@@ -42,6 +72,20 @@ Find supported verbs for resources:
 kubectl api-resources --output wide
 ```
 
+--
+
+```plaintext
+NAME               ...  VERBS
+bindings           ...  create
+componentstatuses  ...  get,list
+configmaps         ...  create,delete,deletecollection,get,list,patch,update,watch
+endpoints          ...  create,delete,deletecollection,get,list,patch,update,watch
+events             ...  create,delete,deletecollection,get,list,patch,update,watch
+limitranges        ...  create,delete,deletecollection,get,list,patch,update,watch
+namespaces         ...  create,delete,get,list,patch,update,watch
+nodes              ...  create,delete,deletecollection,get,list,patch,update,watch
+```
+
 ---
 
 ## How to write roles 3/3
@@ -59,14 +103,41 @@ kubectl api-resources --output wide
 Some resources have subresources, e.g. `pods/portforward`
 
 ```bash
-kubectl get --raw / | jq -r '.paths[]' | grep "^/apis/" 
+kubectl get --raw / | jq -r '.paths[]' | grep -E "^/apis?/" \
 | while read -r API; do
     echo "=== ${API}"
     kubectl get --raw "${API}" \
     | jq -r 'select(.resources != null) | .resources[].name'
 done
 ```
 
+--
+
+```plaintext
+=== /api/v1
+namespaces/finalize
+namespaces/status
+nodes/proxy
+nodes/status
+persistentvolumeclaims/status
+persistentvolumes/status
+pods/attach
+pods/binding
+pods/ephemeralcontainers
+pods/eviction
+pods/exec
+pods/log
+pods/portforward
+pods/proxy
+pods/status
+replicationcontrollers/scale
+replicationcontrollers/status
+resourcequotas/status
+serviceaccounts/token
+services/proxy
+services/status
+```
+
 ---
 
 ## How to specify subjects
@@ -87,6 +158,8 @@ Authentication backends can add users and groups
 
 Certificate authentication maps to users
 
+OIDC maps to users and groups
+
 ---
 
 ## How to specify resource names

120_kubernetes/rbac/impersonation.runme.md

@@ -2,7 +2,7 @@
 
 Deploy namespace
 
-```shell
+```sh
 cat <<EOF | kubectl apply -f -
 apiVersion: v1
 kind: Namespace
@@ -13,7 +13,7 @@ EOF
 
 Deploy namespace admin
 
-```shell
+```sh
 cat <<EOF | kubectl apply -f -
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -43,9 +43,9 @@ subjects:
 EOF
 ```
 
-Deploy namespace reader
+Deploy service account in namespace
 
-```shell
+```sh
 cat <<EOF | kubectl apply -f -
 apiVersion: v1
 kind: ServiceAccount
@@ -61,7 +61,14 @@ metadata:
   annotations:
     kubernetes.io/service-account.name: reader
 type: kubernetes.io/service-account-token
----
+EOF
+
+```
+
+Deploy role and rolebinding in namespace
+
+```sh
+cat <<EOF | kubectl apply -f -
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -94,7 +101,7 @@ EOF
 
 Deploy impersonation role
 
-```shell
+```sh
 cat <<EOF | kubectl apply -f -
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -125,9 +132,9 @@ subjects:
 EOF
 ```
 
-Create new user in kubeconfig
+Create user in kubeconfig
 
-```shell
+```sh
 TOKEN="$(
     kubectl -n test get secrets reader --output json \
     | jq --raw-output '.data.token' \
@@ -137,50 +144,50 @@ kubectl config set-credentials test-reader --token=${TOKEN}
 kubectl config set-context kind-test --user=test-reader --cluster=kind-kind
 ```
 
-Switch context
+Switch namespace
 
-```shell
+```sh
 kubectl config use-context kind-test
 ```
 
 Show permissions in namespace test
 
-```shell
+```sh
 kubectl auth can-i --list --namespace test
 ```
 
 Succeed to access to namespace test
 
-```shell
+```sh
 kubectl -n test get all
 ```
 
 Fail to access namespace default
 
-```shell
+```sh
 kubectl -n default get all
 ```
 
 Fail to run pod in namespace test
 
-```shell
+```sh
 kubectl -n test run -it --image=alpine --command -- sh
 ```
 
 Run pod in namespace test using impersonation
 
-```shell
+```sh
 kubectl -n test run -it --image=alpine --command --as=test-admin -- sh
 ```
 
 Fail to remove pod
 
-```shell
+```sh
 kubectl -n test delete pod sh
 ```
 
 Remove pod using impersonation
 
-```shell
+```sh
 kubectl -n test delete pod sh --as=test-admin
 ```