I am really liking Kubernetes RBAC. It is “fairly” simple to use and so powerful.
For example, a user said I can’t port forward to a port and pasted me the error:
error: error upgrading connection: pods "selenium-node-firefox-debug-mtw7r" is forbidden: User "john" cannot create pods/portforward in the namespace "app1"
This basically told me all that I need. It states the user cannot perform the action
create on the resource
I do think the “action” (create) and the “resource” (pods/portforward) should be highlighted somehow in the error message to make it even clearer.
So I added this to his role:
kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: spinnaker name: kube-saas:list-and-logs rules: - apiGroups: [""] resources: ["pods", "pods/log", pods/portforward] verbs: ["get", "list", "create"]
This solved the problem. I love it when the error tells me exactly what it is and it is so easy to express this in the role.
Kubernetes | Rbac | Security