{"pageProps":{"article":{"slug":"how-to-grant-access-to-the-kubernetes-api","title":"How to Grant Access to the Kubernetes API","description":"Learn how to Grant Access to the Kubernetes API.","content":"\nBy default no access is granted to applications in Kubernetes. So we have to explicitly allow access to the parts of the API that your applications need.\n\nKubernetes includes a built-in role-based access control (RBAC) mechanism that enables you to configure specific sets of permissions that define how a given user (or group of users) can interact with any Kubernetes object in a specific Namespace of your cluster.\n\nThe RBAC API declares four kinds of Kubernetes object: Role, ClusterRole, RoleBinding and ClusterRoleBinding. In this article, I'll focus on Role and RoleBinding.\n\n# How can we grant access to the Kubernetes API?\n\nKubernetes provides two resources that control the access to the API:\n\n* Role: specifies what access is granted (set of permissions). When we create a Role, we need to specify the Namespace it belongs in.\n* RoleBinding: specifies who the Role applies to (links a Role to subjects). \n\n# Create a Role\n\nHere is a yaml configuration file you can use to create a `Role` that let us list the pods and get information on a particular pod:\n\n```yaml\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n  name: my-role\n  namespace: my-namespace\n  labels:\n    app: my-rbac-app\nrules:\n- apiGroups: [\"\"] # \"\" indicates the core API group\n  resources: [\"pods\"]\n  verbs: [\"get\", \"list\"] # verbs to act on the that resource\n```\n\nA Role in isolation doesn't do anything until we bind it with a RoleBinding, so let's do that in the next step.\n\n# Create a RoleBinding\n\nHere is a yaml configuration file you can use to create a `RoleBinding` that give this role (\"my-role\") to all service accounts in the default namespace, meaning that all pods will have access to these APIs:\n\n```yaml\napiVersion: rbac.authorization.k8s.io/v1\n# This role binding allows \"jane\" to read pods in \"my-namespace\" namespace.\n# You need to already have a Role named \"my-role\" in that namespace.\nkind: RoleBinding\nmetadata:\n  name: my-rolebinding\n  namespace: my-namespace\n  labels:\n    app: my-rbac-app\nsubjects:\n# You can specify more than one \"subject\"\n- kind: Group\n  name: system:serviceaccounts # \"name\" is case sensitive\n  apiGroup: rbac.authorization.k8s.io\n  namespace: my-namespace\nroleRef:\n  # \"roleRef\" specifies the binding to a Role\n  kind: Role #this must be Role\n  name: my-role # this must match the name of the Role you wish to bind to\n  apiGroup: \"\"\n```\n\n# Create a Service Account\n\nThe best practice in security is to give as few permissions as possible. Kubernetes recommends to grant a role to an application-specific service account. This requires the application to specify a `serviceAccountName` in its pod spec and for the service account to be created.\n\nHere is a yaml configuration file you can use to create a basic `ServiceAccount`:\n\n```yaml\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: my-service-account\n  namespace: my-namespace\n  labels:\n    app: my-rbac-app\n```\n\nWe can start a pod with a `ServiceAccount` by adding that to it's spec definition:\n\n```yaml\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n  name: my-deployment\n  namespace: my-namespace\n  labels:\n    app: my-app\n    rbac: my-service-account\nspec:\n  replicas: 1\n  selector:\n    matchLabels:\n      app: my-app\n      namespace: my-namespace\n      rbac: my-service-account\n  template:\n    metadata:\n      labels:\n        app: my-app\n        namespace: my-namespace\n        rbac: my-service-account\n    spec:\n      serviceAccountName: my-service-account\n      containers:\n        - name: my-container\n          image: nginx:1.7.9\n```\n\nIn the pod spec you can see `serviceAccountName: my-service-account`. The pod will be run as this `ServiceAccount` and all containers started from it will be running under that `ServiceAccount`.\n\nLast step is to apply all yaml files in the repository:\n\n```bash\n$ kubectl apply -f my-role.yaml -f my-rolebinding.yaml -f my-serviceaccount.yaml -f my-deployment.yaml -n my-namespace\n```\n\nFor more information related to RBAC Authorization, please check the [Kubernetes documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/).\n","type":"article","tags":["code","kubernetes","k8s","access"],"publishedAt":"2020-05-09T14:46:10.915Z","image":"/contents/article/how-to-grant-access-to-k8s-api.png?v1","updatedAt":null,"readingTime":{"text":"3 min read","minutes":2.89,"time":173400,"words":578},"data":{"title":"How to Grant Access to the Kubernetes API","description":"Learn how to Grant Access to the Kubernetes API.","tags":["code","kubernetes","k8s","access"],"image":"/contents/article/how-to-grant-access-to-k8s-api.png?v1","publishedAt":"2020-05-09T14:46:10.915Z","updatedAt":null,"type":"article"}},"next":{"slug":"how-to-use-secrets-in-kubernetes","title":"How to Use Secrets in Kubernetes","description":"Learn how to use Secrets in Kubernetes with some examples.","content":"\nKubernetes Secrets let you store and manage sensitive information like as passwords, OAuth tokens, ssh keys, etc. \n\nWith this article, you'll learn how to use them easily.\n\n# What is a Secret in Kubernetes?\n\nA secret is an object that contains sensitive information like passwords, keys, tokens...\n\nTo use it, a Pod needs to reference it:\n* As files in a volume mounted on one or more of its containers.\n* By the `kubelet` when pulling images for the Pod.\n\n# Optimal way to create and mount a Secret\n\nFor me the easiest way to use Secrets is defining a YAML and reference them using `envFrom/secretRef`.\n\n1. Here is a yaml configuration file you can use to create a Secret that holds a username and a password:\n\n```yaml\napiVersion: v1\nkind: Secret\nmetadata:\n  name: my-secret\ndata:\n  username: my-username\n  password: vdg7JbgkdnRnN03e\n```\n\n2. Reference the Secret (my-secret-pod.yaml):\n\n```yaml\nkind: Pod\napiVersion: v1\nmetadata:\n  name: my-secret-pod\n  namespace: my-namespace\nspec:\n  containers:\n    - name: my-container\n      image: nginx:1.7.9\n      envFrom:\n        - secretRef:\n            name: my-secret\n```\n\n3. Then you just need to create the Pod:\n\n```bash\n$ kubectl apply -f my-secret-pod.yaml -n my-namespace\n```\n\nFor more information related to Secrets, please check the [Kubernetes documentation](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/).\n","type":"article","tags":["code","kubernetes","k8s","secret"],"publishedAt":"2020-04-18T10:10:10.915Z","image":null,"updatedAt":"2020-04-18T11:27:10.915Z","readingTime":{"text":"1 min read","minutes":0.99,"time":59400,"words":198},"data":{"title":"How to Use Secrets in Kubernetes","description":"Learn how to use Secrets in Kubernetes with some examples.","tags":["code","kubernetes","k8s","secret"],"publishedAt":"2020-04-18T10:10:10.915Z","updatedAt":"2020-04-18T11:27:10.915Z","type":"article"}}},"__N_SSG":true}