Kubernetes RBAC Explained (antonputra#224)

zigster64 · Apr 8, 2024 · 2d292ce · 2d292ce
1 parent a254a63
commit 2d292ce
Show file tree

Hide file tree

Showing 36 changed files with 12,438 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
-# New Video - https://youtu.be/gqb7LmmXuyw
+# New Video - https://youtu.be/iE9Qb8dHqWI
 
-[<img src="assets/191.png?raw=true">](https://youtu.be/gqb7LmmXuyw)
+[<img src="assets/192.png?raw=true">](https://youtu.be/iE9Qb8dHqWI)
 
 # Playlists
 
@@ -20,5 +20,5 @@
 
 🎥 - [YouTube](https://www.youtube.com/c/AntonPutra)  
 💼 - [LinkedIn](https://www.linkedin.com/in/anton-putra)  
-🛠️ - [X](https://x.com/antonvputra)  
+🛠️ - [Twitter/X](https://x.com/antonvputra)  
 📨 - [email protected]  
diff --git a/assets/191.png b/assets/191.png
diff --git a/assets/192.png b/assets/192.png
diff --git a/docs/contents.md b/docs/contents.md
@@ -120,3 +120,4 @@
 - [189 - What Is a Graph Database?](../lessons/189)
 - [190 - What is a Reverse Proxy? (vs. Forward Proxy)](../lessons/190)
 - [191 - Types of Load Balancing Algorithms](../lessons/191)
+- [192 - Kubernetes RBAC Explained](../lessons/192)
diff --git a/lessons/192/1-example/pod.yaml b/lessons/192/1-example/pod.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp
+spec:
+  containers:
+    - name: myapp
+      image: aputra/myapp-192:v2
+      ports:
+        - containerPort: 8080
diff --git a/lessons/192/2-example/0-prometheuses-crd.yaml b/lessons/192/2-example/0-prometheuses-crd.yaml
diff --git a/lessons/192/2-example/1-namespace.yaml b/lessons/192/2-example/1-namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dev
diff --git a/lessons/192/2-example/2-prometheus.yaml b/lessons/192/2-example/2-prometheus.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: Prometheus
+metadata:
+  name: main
+  namespace: dev
+spec:
+  replicas: 1
+  serviceAccountName: myapp
+  serviceMonitorSelector:
+    matchLabels:
+      prometheus: main
diff --git a/lessons/192/2-example/3-service-account.yaml b/lessons/192/2-example/3-service-account.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: myapp
+  namespace: dev
diff --git a/lessons/192/2-example/4-role.yaml b/lessons/192/2-example/4-role.yaml
@@ -0,0 +1,28 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: viewer
+  namespace: dev
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - pods
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - list
+  - apiGroups:
+      - monitoring.coreos.com
+    resources:
+      - prometheuses
+      - prometheuses/status
+    verbs:
+      - get
diff --git a/lessons/192/2-example/5-role-binding.yaml b/lessons/192/2-example/5-role-binding.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: myapp-viewer
+  namespace: dev
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: viewer
+subjects:
+  - kind: ServiceAccount
+    name: myapp
+    namespace: dev
diff --git a/lessons/192/3-example/0-namespaces.yaml b/lessons/192/3-example/0-namespaces.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: staging
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: prod
diff --git a/lessons/192/3-example/1-service-account.yaml b/lessons/192/3-example/1-service-account.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: qa-sa
+  namespace: staging
diff --git a/lessons/192/3-example/2-role.yaml b/lessons/192/3-example/2-role.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: qa-role
+  namespace: staging
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - pods
+      - pods/log
+    verbs:
+      - get
+      - list
diff --git a/lessons/192/3-example/3-role-binding.yaml b/lessons/192/3-example/3-role-binding.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: qa-role-binding
+  namespace: staging
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: qa-role
+subjects:
+  - kind: ServiceAccount
+    name: qa-sa
+    namespace: staging
diff --git a/lessons/192/3-example/4-pods.yaml b/lessons/192/3-example/4-pods.yaml
@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp
+  namespace: staging
+spec:
+  containers:
+    - name: myapp
+      image: aputra/myapp-192:v2
+      ports:
+        - containerPort: 8080
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp
+  namespace: prod
+spec:
+  containers:
+    - name: myapp
+      image: aputra/myapp-192:v2
+      ports:
+        - containerPort: 8080
diff --git a/lessons/192/4-example/0-role.yaml b/lessons/192/4-example/0-role.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: viewer
+  namespace: default
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumes
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
diff --git a/lessons/192/4-example/1-cluster-role.yaml b/lessons/192/4-example/1-cluster-role.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: viewer
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumes
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
diff --git a/lessons/192/5-example/0-service-account.yaml b/lessons/192/5-example/0-service-account.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: myapp
+  namespace: dev
diff --git a/lessons/192/5-example/1-scenario/0-role.yaml b/lessons/192/5-example/1-scenario/0-role.yaml
@@ -0,0 +1,10 @@
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: dev-admin
+  namespace: dev
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["*"]
diff --git a/lessons/192/5-example/1-scenario/1-role-binding.yaml b/lessons/192/5-example/1-scenario/1-role-binding.yaml
@@ -0,0 +1,14 @@
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: dev-admin
+  namespace: dev
+subjects:
+  - kind: ServiceAccount
+    name: myapp
+    namespace: dev
+roleRef:
+  kind: Role
+  name: dev-admin
+  apiGroup: rbac.authorization.k8s.io
diff --git a/lessons/192/5-example/2-scenario/0-role.yaml b/lessons/192/5-example/2-scenario/0-role.yaml
@@ -0,0 +1,10 @@
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: staging-admin
+  namespace: staging
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["*"]
diff --git a/lessons/192/5-example/2-scenario/1-role-binding.yaml b/lessons/192/5-example/2-scenario/1-role-binding.yaml
@@ -0,0 +1,14 @@
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: staging-admin
+  namespace: staging
+subjects:
+  - kind: ServiceAccount
+    name: myapp
+    namespace: dev
+roleRef:
+  kind: Role
+  name: staging-admin
+  apiGroup: rbac.authorization.k8s.io
diff --git a/lessons/192/5-example/3-scenario/0-role-binding.yaml b/lessons/192/5-example/3-scenario/0-role-binding.yaml
@@ -0,0 +1,14 @@
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: qa-admin
+  namespace: qa
+subjects:
+  - kind: ServiceAccount
+    name: myapp
+    namespace: dev
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
diff --git a/lessons/192/5-example/4-scenario/0-cluster-role.yaml b/lessons/192/5-example/4-scenario/0-cluster-role.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: test-admin
+subjects:
+  - kind: ServiceAccount
+    name: myapp
+    namespace: dev
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
diff --git a/lessons/192/README.md b/lessons/192/README.md
@@ -0,0 +1,3 @@
+# Kubernetes RBAC Explained
+
+You can find tutorial [here](https://youtu.be/iE9Qb8dHqWI).
diff --git a/lessons/192/bonus.yaml b/lessons/192/bonus.yaml
@@ -0,0 +1,19 @@
+---
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - endpoints
+      - namespaces
+    verbs:
+      - get
+      - watch
+      - list
+      - create
+      - delete
+---
+rules:
+  - apiGroups: [""]
+    resources: ["services", "endpoints", "namespaces"]
+    verbs: ["get", "list", "watch", "create", "delete"]
diff --git a/lessons/192/build.sh b/lessons/192/build.sh
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+set -x
+
+# setup default values, use environment variables to override
+# export VER=v1 APP_DIR=myapp && ./build.sh
+USERNAMR="${USERNAMR:-aputra}"
+VER="${VER:-latest}"
+LESSON=$(basename $(pwd))
+APP_DIR="${APP_DIR:-0}"
+DOCKERFILE="${DOCKERFILE:-Dockerfile}"
+
+# service-a
+docker build -t ${USERNAMR}/${APP_DIR}-${LESSON}-arm64:${VER} -f ${APP_DIR}/${DOCKERFILE} --platform linux/arm64 ${APP_DIR}
+docker build -t ${USERNAMR}/${APP_DIR}-${LESSON}-amd64:${VER} -f ${APP_DIR}/${DOCKERFILE} --platform linux/amd64 ${APP_DIR}
+
+docker push ${USERNAMR}/${APP_DIR}-${LESSON}-arm64:${VER}
+docker push ${USERNAMR}/${APP_DIR}-${LESSON}-amd64:${VER}
+
+docker manifest create ${USERNAMR}/${APP_DIR}-${LESSON}:${VER} \
+    ${USERNAMR}/${APP_DIR}-${LESSON}-arm64:${VER} \
+    ${USERNAMR}/${APP_DIR}-${LESSON}-amd64:${VER}
+
+docker manifest push ${USERNAMR}/${APP_DIR}-${LESSON}:${VER}
diff --git a/lessons/192/cert/ca-config.json b/lessons/192/cert/ca-config.json
@@ -0,0 +1,18 @@
+{
+    "signing": {
+        "default": {
+            "expiry": "8760h"
+        },
+        "profiles": {
+            "demo": {
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "server auth",
+                    "client auth"
+                ],
+                "expiry": "8760h"
+            }
+        }
+    }
+}
diff --git a/lessons/192/cert/ca-csr.json b/lessons/192/cert/ca-csr.json
@@ -0,0 +1,14 @@
+{
+    "CN": "DevOps by Example",
+    "key": {
+        "algo": "ecdsa",
+        "size": 256
+    },
+    "names": [
+        {
+            "C": "US",
+            "ST": "CA",
+            "L": "Los Banos"
+        }
+    ]
+}
diff --git a/lessons/192/cert/user-csr.json b/lessons/192/cert/user-csr.json
@@ -0,0 +1,14 @@
+{
+    "CN": "[email protected]",
+    "key": {
+        "algo": "ecdsa",
+        "size": 256
+    },
+    "names": [
+        {
+            "C": "US",
+            "ST": "CA",
+            "L": "Los Banos"
+        }
+    ]
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		# Kubernetes RBAC Explained

		You can find tutorial [here](https://youtu.be/iE9Qb8dHqWI).