kubernetesibm-cloud-privatekubernetes-security

Problems with simple RBAC example


I want to make a very simple example to learn how to use RBAC authorization in kubernetes. Therefore I use the example from the docs:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: dev
  name: dev-readpods-role
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dev-tester-rolebinding
  namespace: dev
subjects:
- kind: User
  name: Tester
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: dev-readpods-role
  apiGroup: rbac.authorization.k8s.io

The role and the rolebinding are created.

When I log in with Tester and try

kubectl get pods -n dev

I get

Error from server (Forbidden): pods is forbidden: User "<url>:<port>/oidc/endpoint/OP#Tester" cannot list pods in the namespace "dev"

I read here (RBAC Error in Kubernetes) that the api-server have to be started with --authorization-mode=…,RBAC. How can I check this? I read somewhere else that if I run

kubectl api-versions | findstr rbac

and find entries RBAC should be activated. Is that true?

What am I doing wrong? Is there a good way to troubleshoot?

Thanks!

P.S. I'm running kubernetes inside IBM Cloud Private.


Solution

  • In ICP, it looks encouraging to use Teams (ICP's own term, I think). Try starting with it. But you need an LDAP server outside of ICP. https://www.ibm.com/support/knowledgecenter/en/SSBS6K_2.1.0.3/user_management/admin.html