Requirement:
In enterprise world, we often have a few applications running on same Kubernete cluster. Each application owners would like to operate actions on his own applications without interfering other applications. We would not like to grant cluster-admin to application owners for security reasons. Meanwhile application owner would have fully privilege in their own application scope.
This is for Oracle DBA to better understand how Kubernetes RBAC works. They both have similar RBAC concepts
Oracle Database | Kubernetes |
dba role | cluster-admin role |
grant dba role | grant cluster-admin role |
create apps-user role to access tablespace example only | create apps-user role to access namespace example only |
create apps-user | create apps-user or service account |
grant apps-user role to apps-user | role-binding apps-user role to apps-user |
apps-users work happily in tablespace example | apps-users work happily in namespace example |
Solution:
- Create namespace for each application
kubectl create namespace test-apps-ns
- Cluster admin create role, serviceaccount, rolebinding for each application . Below is an example yaml file
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: test-apps-ns
name: test-role
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: oke-test-user
namespace: test-apps-ns
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: test-apps-ns
name: test-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: test-role
subjects:
- kind: ServiceAccount
name: oke-test-user
namespace: test-apps-ns