rokpotoI already covered how to test helm charts and different tests you may want to run. Today, I’ll focus on helm charts acceptance tests. If you later find this article useful take a look at the disclaimer for information on how to thank me.
Kubernetes supports RBAC authorization out of the box. In short, every Kubernetes user or a service account have permissions to perform certain actions (HTTP verbs) on certain API server resources e.g. pods. To get user’s permissions using kubectl run kubectl auth can-i --list:
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
persistentvolumeclaims [] [] [get list watch create delete deletecollection patch update]
pods/exec [] [] [get list watch create delete deletecollection patch update]
pods [] [] [get list watch create delete deletecollection patch update]
events [] [] [get list watch]
pods/log [] [] [get list watch]
configmaps [] [] [get watch list]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
podsecuritypolicies.policy [] [global-unrestricted-psp] [use]To view another user’s permissions add --as=[user-name] flag. For instance: kubectl auth can-i --list --as=jenkins.
To see a real world example, you can follow my tutorial on installing Jenkins helm chart and then see the permissions of Jenkins service account. Such permissions include creating pods on demand for Jenkins jobs. Have a look at this chart’s template to get a taste of how RBAC is configured.
If you are after more granular information on roles or cluster roles per service account, have a look at this great answer on stack overflow. It suggests using rbac-tool.
Also note that Kubernetes distinguishes between user and service accounts.
That’s it about getting user’s permissions using kubectl.
If you found this article useful, take a look at the disclaimer for information on how to thank me.
You can find below articles useful:
Let’s discover how to monitor Spring Boot apps using Prometheus on Kubernetes clusters. Prometheus and the app will be deployed to different Kubernetes namespaces. So we’ll also see how using ExternalName Kubernetes service enables Prometheus to get metrics of Spring Boot Java app deployed to a different namespace.
If you later find this article useful take a look at the disclaimer for information on how to thank me.
Today, I’ll show how to create Kubernetes cluster on Linode using CLI. It might be useful, for instance, for CI/CD, automation processes, etc…
If you later find this article useful take a look at the disclaimer for information on how to thank me.
Today, I’ll show how to create and use Kubernetes operator using Ansible. I’ll also explain why to use Kubernetes operators and their relation to Kubernetes CRDs. As always, I’ll show a demo. If you later find this article useful read the disclaimer on ways to thank me.
In this post we’ll see how and why to use GitLab self-hosted runners. As always, I’ll show a practical demo of GitLab self-hosted runner which runs jobs in CI/CD pipelines. If you later find this article useful take a look at the disclaimer for information on how to thank me.
Today, I’ll show Podman Jenkins agent assuming Jenkins runs on Kubernetes. We’ll see Podman agent’s Dockerfile and CI/CD pipeline using it.
If you later find this article useful take a look at the disclaimer for information on how to thank me.
Today, I’ll demo Kubernetes StatefulSets. We’ll see what StatefulSets are, why to use them and how to create them.
Today, I’ll demo CSI volumes in Kubernetes world. We’ll see what CSI volumes are, why to use them and what advantage CSI volumes give over regular Kubernetes volumes. If you later find this article useful read the disclaimer on ways to thank me.
If you are a professional Kubernetes storage administrator you probably performed dynamic provisioning of Kubernetes storage and avoided creating the volumes manually. We’ll see the motivation for dynamic storage provisioning and how using storage classes serves this purpose.
If you later find this article useful take a look at the disclaimer for information on how to thank me.