5. Securing Kube-APIServer: RBAC

Posted by Manish Panchmatia on Sunday, November 28, 2021 Labels: , , ,

 We can use

 kubectl auth reconcile -f  "filename.yaml"

to create missing objects and ns. It does not create sa

We can also run with 

 kubectl auth reconcile -f  "filename.yaml" --dry-run=client

--remove-extra-permissions will remove extra permission in role

--remove-extra-subjects will remove extra subjects in binding

The kubectl auth reconcile command will ignore any resources that are not Role, RoleBinding, ClusterRole, and ClusterRoleBinding objects, so you can safely run reconcile on the full set of manifests. Next we can run kubectl apply command. 

With kubectl apply command for rolebinding, we cannot update roleRef. it is immutable. However with this command kubectl auth reconcile, we can do it. 

All the above points are applicable to ClusterRole and ClusterRoleBinding also. 

Reference: https://www.mankier.com/1/kubectl-auth-reconcile

====================================

Regardless of namespace, by default, SA with name "default" is added to pod, in all namespace. 

====================================

In rolebinding if kind = User then only name is sufficinet. 

subjects:
- kind: User
  name: dan
If kind = ServiceAccount then we need to specify name and namespace

subjects:
- kind: ServiceAccount
  name: simple-sa
  namespace: prod-b

0 comments:

Post a Comment