As mentioned earlier, we have our new user rbac-user, but its not yet bound to any roles. In order to do that, we’ll need to switch back to our default admin user.
Run the following to unset the environmental variables that define us as rbac-user:
unset AWS_SECRET_ACCESS_KEY
unset AWS_ACCESS_KEY_ID
To verify we’re the admin user again, and no longer rbac-user, issue the following command:
aws sts get-caller-identity
The output should show the user is no longer rbac-user:
Now that we’re the admin user again, we’ll create a role called pod-reader that provides list, get, and watch access for pods and deployments, but only for the rbac-test namespace. Run the following to create this role:
cat << EoF > rbacuser-role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: rbac-test
name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["list","get","watch"]
- apiGroups: ["extensions","apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch"]
EoF
We have the user, we have the role, and now we’re bind them together with a RoleBinding resource. Run the following to create this RoleBinding:
cat << EoF > rbacuser-role-binding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: rbac-test
subjects:
- kind: User
name: rbac-user
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
EoF
Next, we apply the Role, and RoleBindings we created:
kubectl apply -f rbacuser-role.yaml
kubectl apply -f rbacuser-role-binding.yaml