This guide walks you through implementing Role-Based Access Control (RBAC) and Network Policies in a Minikube Kubernetes cluster. We'll cover setup, configuration, testing, and troubleshooting specifically tailored for a Minikube environment.
Prerequisites
Minikube: Ensure you have Minikube installed and running. If not, download and install it from the official website: https://minikube.sigs.k8s.io/
kubectl: You'll need the Kubernetes command-line tool,
kubectl, installed and configured to interact with your Minikube cluster.
Project Setup
- Start Minikube:
minikube start
This command will start your Minikube cluster if it's not already running.
- Verify Minikube Status:
minikube status
You should see output indicating that Minikube is running and your cluster is ready.
Project Structure
We'll use the same project structure as before:
/day27-rbac-network-policies
├── rbac
│ ├── role.yaml
│ ├── rolebinding.yaml
│ └── serviceaccount.yaml
└── network-policies
└── frontend-to-backend.yaml
RBAC Implementation
Path: /day27-rbac-network-policies/rbac/
1. serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: dev-user
namespace: default
2. role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
3. rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: ServiceAccount
name: dev-user
namespace: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
Network Policies Implementation
Path: /day27-rbac-network-policies/network-policies/
frontend-to-backend.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: frontend-to-backend
namespace: default
spec:
podSelector:
matchLabels:
role: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
role: frontend
Applying RBAC and Network Policy
- Apply RBAC Configuration:
kubectl apply -f /day27-rbac-network-policies/rbac/
- Apply Network Policy:
kubectl apply -f /day27-rbac-network-policies/network-policies/frontend-to-backend.yaml
Testing RBAC and Network Policy
Deploy Sample Frontend and Backend Pods:
Create simple deployments for frontend and backend pods (you can find example deployments in the Kubernetes documentation).
Make sure to label your pods with
role: frontendandrole: backendrespectively.
Test RBAC:
kubectl auth can-i get pods --as=system:serviceaccount:default:dev-user
Test Network Policy:
Access the backend pod from the frontend pod (e.g., using
curlorwgetif you have those tools installed in your pods). This should be successful.Try to access the backend pod from outside the cluster (e.g., from your local machine). This should be blocked by the network policy.
Resource Cleanup
# RBAC Cleanup
kubectl delete role pod-reader -n default
kubectl delete rolebinding read-pods -n default
kubectl delete serviceaccount dev-user -n default
# Network Policy Cleanup
kubectl delete networkpolicy frontend-to-backend -n default
# Pod Cleanup (replace with your pod names)
kubectl delete pod <frontend-pod-name> -n default
kubectl delete pod <backend-pod-name> -n default
# Stop Minikube (optional)
minikube stop
Troubleshooting in Minikube
Minikube Status: Check the status using
minikube status.Context Issues: Ensure you’re using the Minikube context:
kubectl config use-context minikube
Network Add-ons: Verify that Minikube’s network add-on is enabled.
Minikube Dashboard: Use
minikube dashboardfor a visual overview of your cluster resources.