Day 27 Project: RBAC and Network Policies in Minikube

arbythecoder

Arbythecoder

Posted on September 10, 2024

Day 27 Project: RBAC and Network Policies in Minikube

This guide walks you through implementing Role-Based Access Control (RBAC) and Network Policies in a Minikube Kubernetes cluster. We'll cover setup, configuration, testing, and troubleshooting specifically tailored for a Minikube environment.

Prerequisites

  • Minikube: Ensure you have Minikube installed and running. If not, download and install it from the official website: https://minikube.sigs.k8s.io/
  • kubectl: You'll need the Kubernetes command-line tool, kubectl, installed and configured to interact with your Minikube cluster.

Project Setup

  1. Start Minikube:
   minikube start
Enter fullscreen mode Exit fullscreen mode

This command will start your Minikube cluster if it's not already running.

  1. Verify Minikube Status:
   minikube status
Enter fullscreen mode Exit fullscreen mode

You should see output indicating that Minikube is running and your cluster is ready.

Project Structure

We'll use the same project structure as before:

/day27-rbac-network-policies
    ├── rbac
    │   ├── role.yaml
    │   ├── rolebinding.yaml
    │   └── serviceaccount.yaml
    └── network-policies
        └── frontend-to-backend.yaml
Enter fullscreen mode Exit fullscreen mode

RBAC Implementation

Path: /day27-rbac-network-policies/rbac/

1. serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: dev-user
  namespace: default
Enter fullscreen mode Exit fullscreen mode

2. role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] 
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
Enter fullscreen mode Exit fullscreen mode

3. rolebinding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: ServiceAccount
  name: dev-user 
  namespace: default
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
Enter fullscreen mode Exit fullscreen mode

Network Policies Implementation

Path: /day27-rbac-network-policies/network-policies/

frontend-to-backend.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: frontend-to-backend
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: backend
  policyTypes:
  - Ingress 
  ingress:
  - from:
    - podSelector:
        matchLabels:
          role: frontend 
Enter fullscreen mode Exit fullscreen mode

Applying RBAC and Network Policy

  1. Apply RBAC Configuration:
   kubectl apply -f /day27-rbac-network-policies/rbac/
Enter fullscreen mode Exit fullscreen mode
  1. Apply Network Policy:
   kubectl apply -f /day27-rbac-network-policies/network-policies/frontend-to-backend.yaml
Enter fullscreen mode Exit fullscreen mode

Testing RBAC and Network Policy

  1. Deploy Sample Frontend and Backend Pods:

    • Create simple deployments for frontend and backend pods (you can find example deployments in the Kubernetes documentation).
    • Make sure to label your pods with role: frontend and role: backend respectively.
  2. Test RBAC:

   kubectl auth can-i get pods --as=system:serviceaccount:default:dev-user
Enter fullscreen mode Exit fullscreen mode
  1. Test Network Policy:
    • Access the backend pod from the frontend pod (e.g., using curl or wget if you have those tools installed in your pods). This should be successful.
    • Try to access the backend pod from outside the cluster (e.g., from your local machine). This should be blocked by the network policy.

Resource Cleanup

# RBAC Cleanup
kubectl delete role pod-reader -n default
kubectl delete rolebinding read-pods -n default
kubectl delete serviceaccount dev-user -n default

# Network Policy Cleanup
kubectl delete networkpolicy frontend-to-backend -n default

# Pod Cleanup (replace with your pod names)
kubectl delete pod <frontend-pod-name> -n default
kubectl delete pod <backend-pod-name> -n default

# Stop Minikube (optional)
minikube stop
Enter fullscreen mode Exit fullscreen mode

Troubleshooting in Minikube

  • Minikube Status: Check the status using minikube status.
  • Context Issues: Ensure you’re using the Minikube context:
  kubectl config use-context minikube
Enter fullscreen mode Exit fullscreen mode
  • Network Add-ons: Verify that Minikube’s network add-on is enabled.
  • Minikube Dashboard: Use minikube dashboard for a visual overview of your cluster resources.

Additional Resources

💖 💪 🙅 🚩
arbythecoder
Arbythecoder

Posted on September 10, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related