Skip to content

Lab 10: RBAC & Security

Field Value
Tier 2 — Kubernetes Core
Estimated Time 45 minutes
Prerequisites k3s cluster, kubectl
Auto-Grade Yes

Scenario

Your organization has three teams sharing a Kubernetes cluster: the development team, the operations team, and an external auditor. Currently everyone uses the cluster-admin credentials, which is a compliance violation. The CISO has mandated least-privilege access within two weeks or the cluster gets decommissioned.

You need to create three roles with different permissions. Developers can deploy and manage their own applications within a single namespace but cannot touch cluster-wide resources. Operations can view everything and manage deployments across all namespaces. The auditor has read-only access to everything but cannot create, modify, or delete any resource. Each role needs a ServiceAccount, a Role or ClusterRole, and a RoleBinding or ClusterRoleBinding.

Objectives

  • Create namespace lab-rbac for the development team
  • Create ServiceAccount dev-sa with Role allowing CRUD on pods, deployments, services in lab-rbac
  • Create ServiceAccount ops-sa with ClusterRole allowing get/list/watch on all resources + CRUD on deployments
  • Create ServiceAccount auditor-sa with ClusterRole allowing only get/list/watch on all resources
  • Verify dev-sa CAN create a deployment in lab-rbac
  • Verify dev-sa CANNOT list pods in kube-system
  • Verify auditor-sa CAN list pods but CANNOT delete them

Setup

./setup.sh

Creates namespace lab-rbac with ServiceAccounts but no roles or bindings.

Hints

Hint 1: Creating a Role 
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: dev-role
  namespace: lab-rbac
rules:
- apiGroups: ["", "apps"]
  resources: ["pods", "deployments", "services"]
  verbs: ["get", "list", "watch", "create", "update", "delete"]
Hint 2: RoleBinding vs ClusterRoleBinding Use `RoleBinding` for namespace-scoped access, `ClusterRoleBinding` for cluster-wide access. The auditor needs a `ClusterRoleBinding` to see all namespaces.
Hint 3: Testing with --as Use `kubectl auth can-i` to test: 
kubectl auth can-i create deployments --as=system:serviceaccount:lab-rbac:dev-sa -n lab-rbac
kubectl auth can-i list pods --as=system:serviceaccount:lab-rbac:dev-sa -n kube-system
Hint 4: Read-only ClusterRole 
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]
Hint 5: Binding a ServiceAccount 
subjects:
- kind: ServiceAccount
  name: dev-sa
  namespace: lab-rbac
roleRef:
  kind: Role
  name: dev-role
  apiGroup: rbac.authorization.k8s.io

Grading

./grade.sh

Solution

See the solution/ directory for RBAC manifests.