kuberneteskubectlkubernetes-security

Unable to create deployment in a namespace with service account, ClusterRole and ClusterRolebinding created

I was getting my hands dirty practicing the Security k8s. This was a practice question I came across to solve. Question: Create serviceaccount 'john' with permissions to create delete get deployments, statefulsets, daemonsets in a given namespace 'hr' Create clusterrole and clusterrolebindings required.

Approach: Have tried creating sa and clusterrole and clusterrolebinding (binded the clusterrole with the sa created) But when I checked it is giving a 'no'

kubectl auth can-i create deploy --as john -n hr

no

To create sa:

kubectl create sa john

To create clusterrole:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: hrcrole
rules:
- apiGroups: ["apps"]
  #
  # at the HTTP level, the name of the resource for accessing Secret
  # objects is "secrets"
  resources: ["deployments", "statefulsets", "daemonsets"]
  verbs: ["get", "watch", "list", "delete"]

To create clusterrolebinding:

apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
metadata:
  name: hrcrolebind
subjects:
- kind: User
  name: hruser # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: hrcrole
  apiGroup: rbac.authorization.k8s.io

I have also tried creating serviceaccount in the namespace, creating clusterrolebinding in namespace but still I get no. Unfortunately I don't have a solution for this problem. Appreciate any help here.

Solution

  • You are trying to create a deployment:

    kubectl auth can-i create deploy --as john -n hr

    But you don't have the create verb allowed in the cluster role:

    verbs: ["get", "watch", "list", "delete"]

    Try recreating the cluster role like this:

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: hrcrole
rules:
- apiGroups: ["apps"]
  #
  # at the HTTP level, the name of the resource for accessing Secret
  # objects is "secrets"
  resources: ["deployments", "statefulsets", "daemonsets"]
  verbs: ["create", "get", "watch", "list", "delete"]