Challenge, Medium,  on  Kubernetes

Grant Read-Only Access to a Developer Using RBAC Role and RoleBinding

Scenario

A developer named siddhi from the development team requires read-only access to the production namespace. She needs to inspect Pods, view logs, and check Deployments — but must not be able to create, update, or delete any resources.

The siddhi user is already configured on the dev-machine in the kubeconfig with a dedicated context siddhi-context.

Task

  1. Create a Role named prod-reader-role in the production namespace with the following permissions:
    ResourceSubresourceAPI GroupAllowed Verbs
    podsCore ("")get, list, watch
    podslogCore ("")get, list, watch
    deploymentsappsget, list, watch
  2. Create a RoleBinding named prod-reader-binding in the production namespace that binds prod-reader-role to the user siddhi.
  3. Switch to the siddhi context to verify access; she has read-only permissions on deployments, pods, and logs, so she cannot create or delete resources.
RBAC Diagram for Developer Siddhi (Read-Only Access to Production Namespace)

RBAC Diagram for Developer Siddhi (Read-Only Access to Production Namespace)

kubectl config use-context siddhi-context
# ===> Switch to siddhi Context

kubectl config use-context default
# ===> Switch back to the default context (administration access).
Hint 1

Use kubectl create role with the --verb and --resource flags to create the Role imperatively.

Use kubectl create rolebinding with the --role and --user flags to bind it to siddhi.

Verify access using kubectl auth can-i with --as=siddhi.

Use kubectl -h (or kubectl <command> -h) to view built-in help for commands.

See the official docs: https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Test Cases

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge grant-read-only-access-to-a-developer-using-rbac-8ab6e05b

This will create a local copy of the challenge content in a directory named grant-read-only-access-to-a-developer-using-rbac-8ab6e05b. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge grant-read-only-access-to-a-developer-using-rbac-8ab6e05b

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge