BROADCASTS.com

b'

Show: 21

Show Overview: Brian and Tyler talk about how Role-Based Access Control (RBAC) is implemented for Kubernetes.

Show Notes:

• Effective RBAC (video) from KubeCon
• Using RBAC Authorization
• Audit2RBAC Tool

Topic 1 - The concept of RBAC is best described as \\u201cCan ______ (noun) ______ (verb) on ______ (object) at ______ (location)?\\u201d where \\u201cnoun\\u201d is a person/service, \\u201cverb\\u201d is an action, \\u201cobject\\u201d is a function of the API, and \\u201clocation\\u201d is proximity to a Kubernetes cluster.

Topic 2 - RBAC operates on the concept of Roles and RoleBindings, which map actors to actions, and those actors and actions are defined either globally or locally, and the actions are also defined globally or locally.

Topic 3 - RBAC can be manually defined, or enabled (by default) by an installer or distribution. It comes with a default set of Roles. Everything is done within the scope of a cluster.

Topic 4 - By default, the kube-scheduler, kube-controller-manager, and kube-proxy all have RBAC roles defined. Kubelets (node-level) don\\u2019t use RBAC by default, but have their own authorizer, which can then be combined with an RBAC authorizer.

Topic 5 - \\u201cAdd-ons\\u201d (networking, monitoring, logging, etc.) can have RBAC defined in their manifests, or you can grant them access to their service account.

Topic 6 - \\u201cIf the element needs to be something other than those default roles, or using default authorizer services, then CustomRoles can be created. Can use audit logs to track the needs of a specific add-on. Can use \\u201caudit2rbac\\u201d tool to views the logs and create custom RBAC roles.\\xa0

Topic 7 - \\u201cAggregate Roles\\u201d are now available in Kubernetes 1.9.

Feedback?

• Email: PodCTL at gmail dot com
• Twitter: @PodCTL\\xa0
• Web: http://podctl.com