7 a method of regulating access to computer or network resources based on the roles of individual users within an enterprise What is Kubernetes RBAC? https://kubernetes.io/docs/reference/access-authn-authz/rbac/
16 Roles example - a role can read pods in default namespace kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: pod-reader rules: - apiGroups: [""] # "" indicates the core API group resources: ["pods"] verbs: ["get", "watch", "list"]
17 ClusterRoles example - a clusterrole can read pods in all namespaces kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: # “namespace” is not required name: global-pod-reader rules: - apiGroups: [""] # "" indicates the core API group resources: ["pods"] verbs: ["get", "watch", "list"]
26 Default ClusterRoles / admin Allows read/write access to most resources in a namespace, including the ability to create roles and rolebindings within the namespace. https://kubernetes.io/docs/reference/access-authn-authz/rbac/
27 Default ClusterRoles / edit Allows read/write access to most objects in a namespace. It does not allow viewing or modifying roles or rolebindings. https://kubernetes.io/docs/reference/access-authn-authz/rbac/
28 Default ClusterRoles / view Allows read-only access to see most objects in a namespace. It does not allow viewing roles or rolebindings. It does not allow viewing secrets, since those are escalating. https://kubernetes.io/docs/reference/access-authn-authz/rbac/
52 Namespace and Team per microservice microservice A microservice B microservice C namespace A namespace B namespace C Kubernetes Cluster team A team B team C
54 Give namespace-admin = End-to-End ownership microservice A microservice B microservice C namespace A namespace B namespace C Kubernetes Cluster team A team B team C
55 Give namespace-admin = End-to-End ownership microservice A microservice B microservice C namespace A namespace B namespace C Kubernetes Cluster team A team B team C RoleBiding A RoleBiding B RoleBiding C
58 Microservice diversity Roles namespace A Kubernetes Cluster team A / service Admins RoleBindings Secrets Deployments ConfigMaps ClusterRoleBiding admins
61 Some teams want to restrict RBAC editing namespace A Kubernetes Cluster team A / service Editors Deployments ConfigMaps ClusterRoleBiding editors Secrets
68 Namespace and Team per microservice microservice A microservice B microservice C namespace A namespace B namespace C Kubernetes Cluster team A team B team C
75 Microservice Starter Kit An internal Terraform module to reduce provisioning burdun from developers and manage infrastructure as code https://speakerdeck.com/b4b4r07/terraform-ops-for-microservices?slide=13
78 Automate RoleBindings creation with microservice-starter-kit (WIP) microservice A microservice B microservice C namespace A namespace B namespace C Kubernetes Cluster team A team B team C RoleBiding A RoleBiding B RoleBiding C