search

LAB05: Authorization in Kubernetes

hashtag
Create a user: ram

hashtag
Create a group: DevOps

hashtag
Assign ram → group DevOps

hashtag
Give ram full access to vpsxyz namespace

hashtag
Create a StorageAdmin role so ram can manage Storage resources

hashtag
(PVC, PV, StorageClass)

This lab uses client certificates (recommended for kubeadm labs).

hashtag
LAB OUTLINE

  1. Create user certificate → ram

  2. Add ram to DevOps group

  3. Add ram to kubeconfig

  4. Create namespace vpsxyz

  5. Create Role + RoleBinding for namespace ownership

  6. Create StorageAdmin ClusterRole

  7. Bind StorageAdmin to ram

  8. Test access as ram

hashtag
1. Create Private Key for User ram

On control-plane:

hashtag
2. Create CSR (with group DevOps)

The group is defined in the CSR using O=DevOps.

  • CN = username

  • O = group

Kubernetes will treat:

  • username → ram

  • group → DevOps

hashtag
3. Sign the CSR with the Kubernetes Cluster CA

You now have:

  • ram.key

  • ram.crt

hashtag
4. Add ram user to kubeconfig

hashtag
5. Create a context for ram

Switch to ram (later during testing):

hashtag
6. Create namespace vpsxyz

hashtag
7. Create Role: Namespace Owner (read/write all inside vpsxyz)

vpsxyz-owner.yaml:

Apply:

hashtag
8. Bind ram (or DevOps group) to namespace owner

Option A: Bind the group DevOps (recommended)

Apply:

➡ Any user in group DevOps (like ram) can now fully control vpsxyz namespace.

hashtag
9. Create StorageAdmin ClusterRole

This role gives the user the ability to manage:

  • StorageClasses

  • PersistentVolumes

  • PersistentVolumeClaims

storage-admin.yaml:

Apply:

hashtag
10. Bind ram (or DevOps group) to StorageAdmin

Recommended: Bind the group:

storage-binding.yaml:

Apply:

hashtag
11. Test as ram

Switch to ram:

hashtag
Test namespace access:

Should work.

hashtag
Test StorageAdmin:

Try creating a PVC:

Apply:

Should work.

PreviousLAB04c: Setting up Cluster ConnectionNextLAB05a: Create a Kubernetes User

Last updated