Day 27 Project: RBAC and Network Policies in Minikube
Arbythecoder
Posted on September 10, 2024
This guide walks you through implementing Role-Based Access Control (RBAC) and Network Policies in a Minikube Kubernetes cluster. We'll cover setup, configuration, testing, and troubleshooting specifically tailored for a Minikube environment.
Prerequisites
- Minikube: Ensure you have Minikube installed and running. If not, download and install it from the official website: https://minikube.sigs.k8s.io/
-
kubectl: You'll need the Kubernetes command-line tool,
kubectl
, installed and configured to interact with your Minikube cluster.
Project Setup
- Start Minikube:
minikube start
This command will start your Minikube cluster if it's not already running.
- Verify Minikube Status:
minikube status
You should see output indicating that Minikube is running and your cluster is ready.
Project Structure
We'll use the same project structure as before:
/day27-rbac-network-policies
├── rbac
│ ├── role.yaml
│ ├── rolebinding.yaml
│ └── serviceaccount.yaml
└── network-policies
└── frontend-to-backend.yaml
RBAC Implementation
Path: /day27-rbac-network-policies/rbac/
1. serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: dev-user
namespace: default
2. role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
3. rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: ServiceAccount
name: dev-user
namespace: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
Network Policies Implementation
Path: /day27-rbac-network-policies/network-policies/
frontend-to-backend.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: frontend-to-backend
namespace: default
spec:
podSelector:
matchLabels:
role: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
role: frontend
Applying RBAC and Network Policy
- Apply RBAC Configuration:
kubectl apply -f /day27-rbac-network-policies/rbac/
- Apply Network Policy:
kubectl apply -f /day27-rbac-network-policies/network-policies/frontend-to-backend.yaml
Testing RBAC and Network Policy
-
Deploy Sample Frontend and Backend Pods:
- Create simple deployments for frontend and backend pods (you can find example deployments in the Kubernetes documentation).
- Make sure to label your pods with
role: frontend
androle: backend
respectively.
Test RBAC:
kubectl auth can-i get pods --as=system:serviceaccount:default:dev-user
-
Test Network Policy:
- Access the backend pod from the frontend pod (e.g., using
curl
orwget
if you have those tools installed in your pods). This should be successful. - Try to access the backend pod from outside the cluster (e.g., from your local machine). This should be blocked by the network policy.
- Access the backend pod from the frontend pod (e.g., using
Resource Cleanup
# RBAC Cleanup
kubectl delete role pod-reader -n default
kubectl delete rolebinding read-pods -n default
kubectl delete serviceaccount dev-user -n default
# Network Policy Cleanup
kubectl delete networkpolicy frontend-to-backend -n default
# Pod Cleanup (replace with your pod names)
kubectl delete pod <frontend-pod-name> -n default
kubectl delete pod <backend-pod-name> -n default
# Stop Minikube (optional)
minikube stop
Troubleshooting in Minikube
-
Minikube Status: Check the status using
minikube status
. - Context Issues: Ensure you’re using the Minikube context:
kubectl config use-context minikube
- Network Add-ons: Verify that Minikube’s network add-on is enabled.
-
Minikube Dashboard: Use
minikube dashboard
for a visual overview of your cluster resources.
Additional Resources
💖 💪 🙅 🚩
Arbythecoder
Posted on September 10, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.