[ Kube 68 ] Kubernetes RBAC Demo | Creating Users and Roles
Vložit
- čas přidán 4. 01. 2020
- In this video, I will show you how to use Role Based Access Control in your Kubernetes cluster and how to use user accounts.
Learn Kubernetes Playlist:
• Learn Kubernetes
Certificate generation related commands:
github.com/justmeandopensourc...
Hope you enjoyed this video. Please share it with your friends and don't forget to subscribe to my channel. For any questions/issues/feedback, please leave me a comment and I will happy to help.
Thanks for watching.
If you wish to support me:
www.paypal.com/cgi-bin/webscr...
#kubernetes #learnkubernetes #justmekubernetes #kubernetesrbac #rbac
Best One on this topic. Thank you so much for the efforts !
Hi Shital, thanks for watching.
Thanks for the explanation Venkat! Much appreciated!
Hi Surendhar, thanks for watching. Glad it helped. Cheers.
This guy is best when it comes to practical training. Most of the channels on k8s are showing same slides
Hi Raheel, thanks for watching. Glad that you found this content useful. Cheers.
Very Nice Video. No document given such easy way to do this.
Hi Prasad, thanks for watching.
As always , you decipher the concepts in easy to understand manner. Please keep them coming.
Thanks for watching. Cheers
Thank you so much, what you have demoed here is exactly what I have been looking for! This is so clear. very helpful!
Glad it helped. Cheers.
You're doing a great job. Thank you so much for these free educational videos. You are the best :) . Instead of manually copying the certificate and key to the kubectl configuration file, you can use the '--embed-certs = true' option.
Hi Antonio, thanks for watching. That was useful to know. Cheers.
I have been trying to understand RBAC for so long. Now I know.
Cool. Glad you found it useful. Thanks for watching.
Thanks a lot brother!! Your video had clarified many doubts. Keep up your good work.
Hi Thiru, thanks for watching. Cheers.
absolutely great. Very clear, easy to follow and it works ! i found procecures taken from kubernetes docs themselves rather contrary to this approach as they use kubectl commands to 'approve' requests that have been 'submitted' also by kubectl and the resultant user certificate I then extracted failed to work when inserted into the kube config. I could have had it wrong though, found this and away we go. Thanks again your a time saver !
Hi Jon, many thanks for watching. Glad it helped. Cheers.
Excellent demonstration! Thank you so much!
Hi, Thanks for watching.
One of my best instructor.
Hi Hassan, Thanks for watching.
@@justmeandopensource you are supportive as well.
Thanks for you feedback
@@devopskey6251 no worries
I don't have words to say you thanks. You are the kube Champion.
Hi Tayyab, Thanks for watching. Glad it helped. Cheers
Great stuff. Very clear explanation. Thanks.
Hi Prithu, Thanks for watching.
Amazing videos & hand on - keep sharing lot such videos - thanks
Hi Pradeep, thanks for watching. Cheers.
Beautifully explained!
Hi Sreerag, Thanks for watching.
You are the absolute best! Thank you 🙏.
You're welcome! Thanks for watching Tao
Top notch content ! Thanks alot for your efforts
Hi Surendra, thanks for watching.
Amazing!The way you demistified the complex topic is amazing! Pure Awesomness that I landed on you channel.
Keep adding more videos 🤟
Hi Sandeep, thanks for watching.
Most comprehensive tutorial I've found on the topic of RBAC. Can you do an update with the use of CertificateSigningRequest available in k8s v1.19 please. Also, if you can do your demos with a larger font (or zoomed in) so it will be easier to follow. I love the way you do interactive tutorials. So geeky. Just finding it very difficult playing the video at HD so I can zoom my screen into text typed on terminal. Thanks for the video. Really a great content. Keep it up.
Yeah, my only small gripe is I have to do full-screen on a 27 inch monitor.
Thanks bro.
Understood clearly
Hi Ajay, thanks for watching. Cheers.
Thanks a lot, I have been struggling to understand RBAC and how to create users now I know how to :)))
Thanks for watching. Cheers.
Hi Sir, your k8 content is really amazing and it's very useful for DevOps beginners like me.
Hi, glad that it is helping you. Thanks for watching.
Thanks so much it's very helpful for my work, excellent job keep it brother
Thanks for watching. Cheers Kiran.
Excellent explanation
Hi Wilson, thanks for watching.
woow!!!! really helpful man, please put the certificate generation commands.
Hi Milinda, thanks for watching. I have created Doc in my Github repo with the certificate generation commands.
github.com/justmeandopensource/kubernetes/blob/master/docs/create-user-certificates.md
Thanks
Very useful video. Thank you for making this. Can you make a video about Service Account and show some demos for that?
Hi Zulhilmi, thanks for watching. I have many videos lined up for release in the coming months. I will add it to my list and get it done when I get some time. Thanks for suggesting this topic. Cheers.
@@justmeandopensource looking forward!
Just amazing! thank you very much
Hi Jagdish, thanks for watching.
Thank you bro , concept and pratice clearly
Thanks for watching. Cheers.
Very nicely explained.
Hi Anika, thanks for watching.
Thank you very very much man..... simply presented toughest thing
Hi Sumith, thanks for watching. Glad it helped. Cheers.
@@justmeandopensource you are super man, i went through many videos, they all made me only confusions, but you did it🤗🤗🤗
@@sumithsps007 I know how confusing it would be when people explain stuff the way they know. Hence I explain stuff the way I would like others to explain so that I can understand 😉
Great Video. Thanks !
Hi Renzo, Thanks for watching.
You are the fantastic one.
very easy to understand can you please more create videos on an actual scenario like HPA & VPA & cluster autoscale together also managing SSL/TLS with istio ingress etc.
Nice explanation and demo. Thanks bro.
Could you also make a video about service account if you have time?
Very useful, thanks 👍
Hi, Thanks for watching.
Your videos are just ausome..!!!
Hi Priya, thanks for watching.
This is absolutely beautiful! You spoke perfect English, and you went thru all the steps without diverging. Do you have course on the internet?
Hi, Thanks for watching. I don't have courses outside of CZcams I am afraid.
@@justmeandopensource I was going to ask same question. Please do one on Udemy, you are a good teacher I must say that I got a lot from this video. Thanks so much.
Gold standard. Appreciate your efforts!
Hi Rakesh, many thanks for watching. Cheers 😊
@@justmeandopensource What terminal you use? Looks sick
Sick?
@@justmeandopensource I mean its awesome
@@rakeshrajgopalasaikrishnan5562 You got me worries for a moment :)
Thanks for this video.
You're welcome
Thanks a lot for this Info.Can you do any session on troubleshotting kubernetes
Hi Raghu, thanks for watching. This is an ongoing series and I will cover troubleshooting at some point. Cheers.
Really cool video!
Hi Oleg, thanks for watching.
Great job man
Thanks for watching. Cheers 😊
Thanks for sharing
Hi Murad, thanks for watching.
Your videos are really helpful and it has helped me create a cluster with Prometheus and Grafana with helm. Can you do a new video on getting helm influxdb to work with Grafana?
Hi, thanks for watching. I will add it to my list surely. Cheers.
GRate JOb and i am flowing you and I treated as a teacher for me
Hi Janardhan, thanks for watching and glad this channel is helping you. Cheers.
Well done Venkat...
Hi Prakash, many thanks for watching. Cheers.
Thank you so much
Thanks for watching.
Awesome bro ..
Hi Jashva, thanks for watching. Cheers.
Hi, thanks for the video. I have 1 question
Assuming I have 3 users in 'finance' group and I already gave 3 config files to my team members. Now I want to delete 1 user, how can I do that?
Great Stuff 👏
Thanks for watching.
Great video Venkat.One question how to add play with the ca.cert as described with docker for desktop in windows.
Great Video, learned a complex topic in a simple way. Is there a documentation/video to do same using minikube? I couldn't able to do hands on at minikube but I am trying to figure out till I get the direction from expert.
Hi. The video is really amazing but it will be more comfortable if you'll increase the font size. its bit tough to see the text.
HI Priyanshu, thanks for watching and for the feedback. I have increased the font size in all my recent recordings.
Well done !!!
Hi Denis, thanks for watching.
Hi Venkat,
I am following all your kubernetes training videos and are great content and easy to understand even for the beginners like me. One question i have is, how does it auto populate the command when you write into it? as soon as you type kubectl get it shows next set of parameters to be entered. Please share if this can be set on our systems too.
THanks,
Shashikumar
Hi Shashi, thanks for watching. I use Zsh shell. On top of it I have oh-my-zsh. Then I have zsh-autosuggestions plugin which is the one that suggests command in the background as I start typing from my command history.
I have done a video on my terminal setup long time ago where I covered this.
czcams.com/video/soAwUq2cQHQ/video.html
Cheers.
Do u plan to do extend this rbac video or do another to show integration with Azure AD or Ldap?
wow over 37K viewed. I have subscribed too.
Hi, Thanks for watching.
very clear!!!!
thank you
Hi Carmen, thanks for watching.
Nice and clear video, thanks. One question does the administrator of the cluster needs to renew the cluster certificates?
Hi, thanks for watching. Yes its the cluster admins responsibility to renew certificates or anyone with cluster-admin privilege can do that.
Thank you for the valid info. Could you please share video how to setup kubernetes dashboard on ubuntu machine
Hi Madhu, thanks for watching. I have already done few videos on how to setup dashboard for Kubernetes cluster. You can watch the recent video in the below link.
czcams.com/video/6MnsSvChl1E/video.html
Cheers.
Hey sir, nice video, I am really interested in what terminal do you use. I love the hint it gives you when you write your commands. Does it take from the history?
Thank you in advance!
Hi Daniel, thanks for watching. I use zsh shell with zsh-autosuggestions plugin that suggests commands from my zsh history.
This is the video about my terminal setup I did a while ago.
czcams.com/video/soAwUq2cQHQ/video.html
Never mind, already figured. ZSH with autocompletition :-)) Awesome
@@justmeandopensource Ah lol you were faster to reply :-D Thank you anyway!
@@danielcech4636 No worries.
very nice video
Hi Saurabh, thanks for watching.
hi Venkat, Thanks for the video. Can you try to make a video to deploy these kid of resources using helm
HI Nagarjuna, thanks for watching. These are not normal resources that you deploy in kubernetes cluster so can't be done using Helm. These are administrative operations. Using Helm you can deploy resources but can't create users/certificates and so on.
very helpful! Thanks a lot!
Question: if your kubernetes cluster resides on Google Cloud... can you potentially create new users in the google cloud console project on where there is your kubernetes cluster... and add permissions to those users? Do you get the same granularity in terms of permissions? thanks
I suppose you mean GKE by "kubernetes cluster resides on Google Cloud". Since GKE is a managed Kubernetes cluster, access to the cluster is granted either via IAM or RBAC but in both cases users need at least the container.clusters.get IAM permission in the project that contains the cluster in order to be able to authenticate to the cluster.
Notice : the container.clusters.get IAM permission does not authorize a user to perform any actions inside the clusters. Authorization may then be provided by either IAM or Kubernetes RBAC.
You can authenticate to the cluster by running : gcloud container clusters get-credentials --region --project
This command will generate the kube config file for you (~/.kube/config) and then you will be ready to go.
Thanks for good explanation on RBAC... But I am confuse about group. I have create 2 additional user and they also got access on respective name space. but if I want to remove one user from that group or I want to list down which user have rights on namespace who can i do that ?
Thanks .
Hi, thanks for watching.
in case one user belong to multiple groups, may I know how to specify it when creating certificate ?
Hi Venkat, very nice explanation, just a small doubt. On which server you created user John. I was struggling to identify that when you did ssh to master for copying ca.crt and ca.key
Hi Mahi, thanks for watching. Creating user John means basically creating a certificate pair which can be done on any machine. I did it on my local workstation and then copied the certificate pair to the master node. Cheers.
Hi venkat you are doing very good...Can you please upload one video for( ServiceAccounts Vs Users )
Hi Kotesh, thanks for watching. I will see if I have time to do that. But basically the difference is that you use service account internally to run a service/deployment with certain set of permissions. You don't normally login using service account. They are meant to be used internally in the cluster. Normal users are something that comes with username/password or certificates which you use to authenticate to cluster and do operations.
There is a good article that explains this.
kubernetes.io/docs/reference/access-authn-authz/authentication/
@@justmeandopensource I gone through this document even before but I have some confusion in service accounts in K8S
@@koteshydv6997 What is it that you are confused about service accounts?
Thanks, Venkat for this video.
I have one question, what if we want to grant user John to additional namespace lets say: dev?
Do we need to follow the same process?
Yes you need to add user to that group dev
Hi Umar, thanks for watching. Yes you will have to add the user to the dev group by updating the certificate. The group membership of the user is done while creating the certificate in the Subject field.
@@KathirVel-fb2sf Thanks for jumping in to answer this question. Cheers.
Hi Venkat, Thanks for this video.
I have a question, where did you add both john and chris in finance group.?
Hi praveen, group name will be passed at subject while creating certificate.
Hi Thiru, thanks for jumping in to answer Praveen's query. Yes you are right, group names are part of SUBJECT when creating the certificate. Cheers.
Hope you got the answer.
HI Parveen you can run kubectl again with set-credentials chris and set-context with chris as user and context finance chris
@@coboware5419 Thanks for responding to this question. Cheers.
Hi Thx for the video its really awesome ,, I want to access this user from another instance as i have performed all this steps on EC2 instance,, so how to access using the user from another instance??? what i need to install on another instance for that user to access ????
Best video for this topic! Thanks a lot!!!
But I am still a bit confused in the points.
1. In the video starting from 22:48, you add resources deploy and service to the role with get and list verb. But when you try to get the deploy and service it cant get it. Why?
2. When John creating his only kubeconfig file, he needs ca.cert file. But in the case we create kubeconfig file for John, we only use john.key and john.crt, ca.cert is not used. Why there is a difference
for the 1st question , I think he has to use the "deployments" and "services" keywords instead of deploy and service.
Hi Thanks for this RBAC video and I have 1 question, how can I get ca.crt and ca.key
from AWS EKS service
This video is awesome! thank for sharing.
I noticed that both user here (John and Chris ) are using the default cluster name (kubernetes); is that possible to create multiple clusters on the same VMs for different users? thanks a lot for responding...
Hi Huide, thanks for watching. Its generally not a good practice to run multiple clusters on the same machine. In real world, you won't be running an entire cluster in a single vm. Each VM will be a node in the cluster.
@@justmeandopensource Thanks for the reply. I did some google search after asking you the question. Looks to run multiple clusters on same VMs are not a popular way; but there's some SIG is working on "similar" function here: `github.com/kubernetes-sigs/multi-tenancy/tree/master/incubator/virtualcluster` anyway, really thanks for the video you made; it's helpful.
Thanks for this information. I am going to explore virtualcluster. Cheers.
Thanks for the wonderful video brother Can you explain me what is the tool that we can use to interact with cluster from Windows machine ?
Hi Nathan, doesn't matter which machine you use, the way to interact with the cluster is through kubectl binary which can be used from any operating system.
Its a good video, How do we assign the existing user who is part "A" group to be part of different group aswell suppose B?
Hi Nagarjuna, thanks for watching. Group membership is through the certificate, so you will have to re-create new certificate pair with right group memeberships.
Hi Venkat,
Can you please post some videos related to operators. If it is based on the ansible that would be very useful
Hi Praveen, thanks for watching. Operators are one topic that I never explored in Kubernetes. Let me see if I can find time to do that. Cheers.
I really enjoyed your video! It was the most in depth example on RBAC that I have found, and it because of that, it has been the most useful, so thank you. I have a question about your use of certificates. I am not really sure wha they are used for, because I thought a Role defines the scope of what a specific user can do to a resource, and when you bind that role to a user with a RoleBinding, the user is able to do access the designated resources, so what is the point of the certificates? Thanks!
Kubernetes has no idea about users, it operates only with certificates
Hi Ryan, roles and role bindings are used for Authorization and we use TLS certificates for authentication..So before defining Authorization rules using roles and role bindings..The user needs authentication to cluster right,that where TLS certificates are used. 😊
Thank you for the greate videos. I am testing this on GKE but GKE does not give us access to master so I can not copy Ca.cert and Ca.key. Do you have any suggestion on how I can solve this problem.
Hi Mohammad, thanks for watching. All my videos are based on self provisioned/managed kubernetes cluster where we have access to the controller node. I don't have experience in using GKE where the controllers are managed by Google. In that case, you can look at other options like integrating external identity provider like ActiveDirectory or LDAP.
Hi, it's awesome but I wanted to create two roles, one is admin role and one is developer role for the namespaces.. Do I need to create certificate and csr for all the users ( admin and developer users) to apply those roles??
Yes, you will have to generate csr/certificate for different roles.
Please let me know on which terminal you are issuing commands . CD play/temp is on MAster node or any other Linux jump box or a worker node. Please clarify. I am confused.
Hi Ranjeet, thanks for watching. That was on my laptop itself where I am running Linux.
nice explanation
may you please let me know that is it possiblev to access pods of master via john, if yes how ?
Hi Venkat. Excellent video. I have a question if you can help me. I don't see ca certs in my dev master node. In the /etc/kubernetes/pki folder. it has some other files folders like etcd-manager-events etcd-manager-main kube-apiserver. I checked all the folders but i don't find ca files there. There are other files like etcd-ca.crt etcd-client.crt etcd-client.key. Do you know how should I create crt file in that case? I did self signed and verified but I got the error that cert is not from trusty source. Also, I have config file with write access RBAC with all the data there and now I am creatting a read-only rbak access file. Can cert from existing config can be helpful to create read only crt?
Hi Venkat ..can you please tell the way to get all options available with all commands in kubernetes, is there anything like Kite the does AI based command completion ?..i see you dont use -h for options very frequently nor do you refer the manual..please advise
Hi Rishi, thanks for watching. I would recommend kube-shell for you. Try installing and using it. It has awesome command completion along with options as well.
github.com/cloudnativelabs/kube-shell
Hi venkat , i followed ur setups to creating users and roles and role binding, i am facing unauthorised issue to access , for rke2 cluster, do you have any solution
Awesome work, Why cant you make a video on aws-auth ?
Hi Kumar, thanks for watching. I haven't played with aws-auth yet. When I get a chance I will check that for sure. Cheers.
Hi , please help me with a doubt. I want to give get access on pods/deployments and nodes but delete access only on pods/deployments, how will i write this combination in role yaml?
Thanks
Thanks for watching.
hey is the ca.crt and ca.key are in /etc/kubernetes/pki by default or we need to create them ,and if we need to create them how we do that?
kubeadm init command will create needed certs in that directory.
@@justmeandopensource thanks a lot for your help and have a nice day :)
You are welcome.
Hi again, i have a question or two :p : how can i list all the users and groups in my kubernetes cluster ? and how to add an existing user to a group ? Thanx :)
Hi Kahlil, thanks for watching. What I have shown in this video is a very basic/fundamental way of granting access to an user by generating certificates and having a proper role defined in the cluster. There is no identity service to find out list of users. Any one with valid certificate is an user and will be able to access the cluster. No one will be managing users/groups this way in production in a large organization. If I were you, I would use Rancher to manage my cluster which also allows me to integrate existing identity providers like Active Directory, LDAP with k8s for authentication and authorization. Cheers.
@@justmeandopensource Thanks mate you're the best :)
Hi,
How to see/list the users associated to the groups.
Hi thanks for the video. i was wondering if you can please make a video to show how to signe a csr file with the kubectl certificate approve commande. It will be very useful for me :)
Hi Khalil, thanks for watching. I will add csr approving video to my list. Cheers.
@@justmeandopensource Thanx a lot mate 😀
Hi venkat, can you please help me where I can get ca.key and ca.crt for eks cluster 1.26
which tool you are using to get support of command syntax ?
Zsh autosuggestions
Hi! What an OS and a terminal do you use?
Thanks for watching. I used Arch Linux and Alacrity terminal. For shell I used Zsh with bunch of useful plugins.
for example we have three different user like developer, senior DevOps Eng. and junior DevOps Eng. how can we create user and groups and give specific access to them in k8s
hey how can i get kuberenetes certificates on docker with desktop on windows ? please reply