# Module 7: Role-Based Access Control 

## Exercise 1: Working with Role-Based Access Control

In this exercise, you explore role-based access control (RBAC) in Kubernetes.

**Objectives**

This exercise focuses on enabling you to create a read-only user.



**Exercise Equipment**

In this exercise, you use the following systems.

| System                  | Host Name   | IP Addresses   | User Name (case sensitive) | Password  |
|-------------------------|-------------|----------------|----------------------------|-----------|
| Linux Mint 20           | jumphost    | 192.168.0.5    | user                       | Netapp1!  |


---
---

##### Task 1: Create a Read-Only User

In this task, you create a read-only user, bind the appropriate cluster role, and then log in with this user and test the user’s permissions.


---

Review the Kubernetes configuration:



In [None]:
kubectl config view


---

You can use the following command if you use multiple kubeconfig files at the same time and you want to merge the views:

`KUBECONFIG=~/.kube/config:~/.kube/kubconfig2`


---

Create a Kubernetes service account called “rouser” (read-only user):



In [None]:
kubectl create serviceaccount rouser


---

Create a cluster role called rouser:



In [None]:
kubectl create clusterrole rouser --verb=get --verb=list --verb=watch --resource=pods


---

Create a cluster role binding:


In [None]:
kubectl create clusterrolebinding rouser --serviceaccount=default:rouser --clusterrole=rouser


---

Create a token for the rouser account:

[exercise7task1-1.yaml](./exercise7task1-1.yaml)


In [None]:
kubectl create -f exercise7task1-1.yaml


---

Get the token from the secret of the service account that you created previously, and then record the token from the output:


In [None]:
kubectl describe secret rouser-secret


In [None]:
kubectl describe secret rouser-secret|grep ^token|awk '{print $2}'


---

You can store the token in an environment variable if your system supports that
feature:



NOTE: This command is available in the exercise7task1-2.txt file for your copy convenience.


In [None]:
TOKEN=$(kubectl describe secret rouser-secret|grep ^token|awk '{print $2}')


---

Verify the TOKEN variable:


In [None]:
echo $TOKEN


---

Set the credentials for the user in the kube config file and use “learner” as a username:


In [None]:
kubectl config set-credentials learner --token=$TOKEN


---

Create a context for the user and call it “reader”; your cluster is called “Kubernetes" :


In [None]:
kubectl config set-context reader@kubernetes --cluster=kubernetes --user=learner


---

Review the Kubernetes contexts:


In [None]:
kubectl config view


---

Switch to the newly created context:


In [None]:
kubectl config use-context reader@kubernetes


---

Notice that the current context changes to reader@kubernetes:


In [None]:
kubectl config view


---

Verify that the user has the right privileges:


In [None]:
kubectl auth can-i get pods --all-namespaces #(should be yes)
kubectl auth can-i create pods #(should be no)
kubectl auth can-i delete pods #(should be no)


---

Switch back to the default administrator context:


In [None]:
kubectl config use-context kubernetes-admin@kubernetes


---

Check and compare the privileges:


In [None]:
kubectl auth can-i get pods --all-namespaces
kubectl auth can-i create pods
kubectl auth can-i delete pods


---

Delete the objects that you used in this task:


In [None]:
kubectl delete clusterrolebinding rouser
kubectl delete clusterrole rouser
kubectl delete serviceaccount rouser


---
---

End of exercise
