Question 24: RBAC Implementation

Problem Statement

Solve this question on: ssh cks3477

You're asked to implement some RBAC for user gianna:

  1. Confirm or restrict existing cluster-level RBAC resources to ensure user gianna can never read Secret contents cluster-wide
  2. Create additional RBAC resources to allow user gianna to create Pods and Deployments in Namespaces security, restricted and internal

To test your RBAC you can:

  • Switch to the other context with: k config use-context gianna@infra-prod
  • Switch back to the default context with: k config use-context kubernetes-admin@kubernetes

Solution

Step 1: Check Existing RBAC Rules

First, let's examine the existing RBAC resources for user gianna: 

➜ ssh cks3477

➜ candidate@cks3477:~# k get clusterrolebinding -oyaml | grep gianna -A10 -B20

We find the binding is named 'gianna'. Let's examine it:

➜ candidate@cks3477:~# k edit clusterrolebinding gianna
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: gianna
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: gianna
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: gianna

Let's check the associated ClusterRole:

➜ candidate@cks3477:~# k edit clusterrole gianna
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: gianna
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  - configmaps
  - pods
  - namespaces
  verbs:
  - list

Test the current permissions:

➜ candidate@cks3477:~# k auth can-i list secrets --as gianna
yes

➜ candidate@cks3477:~# k auth can-i get secrets --as gianna
no

However, we discover that listing secrets can expose their contents: 

➜ candidate@cks3477:~# k config use-context gianna@infra-prod
➜ candidate@cks3477:~# k -n security get secrets -oyaml | grep password
    password: ekhHYW5lQUVTaVVxCg==
    password: bWdFVlBSdEpEWHBFCg==
Step 2: Restrict Secret Access

Remove the ability to list secrets from the ClusterRole:

➜ candidate@cks3477:~# k config use-context kubernetes-admin@kubernetes
➜ candidate@cks3477:~# k edit clusterrole gianna
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: gianna
rules:
- apiGroups:
  - ""
  resources:
  #- secrets         # REMOVED
  - configmaps
  - pods
  - namespaces
  verbs:
  - list

Verify the changes:

➜ candidate@cks3477:~# k auth can-i list secrets --as gianna
no

➜ candidate@cks3477:~# k auth can-i get secrets --as gianna
no
Step 3: Create Additional RBAC Rules

Create a new ClusterRole for Pod and Deployment creation:

➜ candidate@cks3477:~# k create clusterrole gianna-additional --verb=create --resource=pods --resource=deployments
clusterrole.rbac.authorization.k8s.io/gianna-additional created

Create RoleBindings in each namespace:

➜ candidate@cks3477:~# k -n security create rolebinding gianna-additional \
--clusterrole=gianna-additional --user=gianna

➜ candidate@cks3477:~# k -n restricted create rolebinding gianna-additional \
--clusterrole=gianna-additional --user=gianna

➜ candidate@cks3477:~# k -n internal create rolebinding gianna-additional \
--clusterrole=gianna-additional --user=gianna
Step 4: Verify New Permissions

Test the new permissions:

➜ candidate@cks3477:~# k -n default auth can-i create pods --as gianna
no

➜ candidate@cks3477:~# k -n security auth can-i create pods --as gianna
yes

➜ candidate@cks3477:~# k -n restricted auth can-i create pods --as gianna
yes

➜ candidate@cks3477:~# k -n internal auth can-i create pods --as gianna
yes
Summary of changes:
  • Removed secret listing permission to prevent content exposure
  • Created new ClusterRole for Pod and Deployment creation
  • Created RoleBindings in three namespaces
  • Verified permissions are correctly applied
Security Note: When implementing RBAC, always follow the principle of least privilege. Be especially careful with permissions that might indirectly expose sensitive information, such as listing resources that contain secrets.
Back to Questions List