Admin role of the master in k8s cluster

Hi all,

I got some question for RBAC in K8s cluster. I have setup one master, and 2 worker nodes(w1,w2).

Question 1:
I can execute the kubectl in master VM (SSH login to the master VM)to retrieve all information of the cluster. So I supposed that there should be a role for the master VM as a admin role in cluster. But I can’t find the role by executing “kubectl get role -A”. Does there any role is created for the master VM?


Me too new to K8s but I’ll try to explain what I understood

All the defaults roles/Clusterroles are created under kube-system namespace automatically at the time of installation, there are few clusterroles/bindings related to admin.

BABY@master-1:~$ kubectl get clusterrole -n kube-system | grep admin
admin 2020-07-09T17:40:02Z
cluster-admin 2020-07-09T17:40:02Z

BABY@master-1:~$ kubectl get clusterrolebinding -n kube-system | grep admin
cluster-admin ClusterRole/cluster-admin 10d

BABY@master-1:~$ kubectl describe clusterrole cluster-admin -n kube-system
Name: cluster-admin
Annotations: true
Resources Non-Resource URLs Resource Names Verbs

. [] [] []
] [] [*]

BABY@master-1:~$ kubectl describe clusterrolebinding cluster-admin -n kube-system
Name: cluster-admin
Annotations: true
Kind: ClusterRole
Name: cluster-admin
Kind Name Namespace

Group system:masters

So while setting up kubernetes cluster we have to define our admin user in system:masters group by creating TLS certificate

Please refer:

The Admin Client Certificate
Generate the admin client certificate and private key:

Generate private key for admin user

openssl genrsa -out admin.key 2048

Generate CSR for admin user. Note the OU.

openssl req -new -key admin.key -subj “/CN=admin/O=system:masters” -out admin.csr

Sign certificate for admin user using CA servers private key

openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out admin.crt -days 1000

Note that the admin user is part of the system:masters group. This is how we are able to perform any administrative operations on Kubernetes cluster using kubectl utility.

Experts please correct me if i’m wrong anywhere. Thanks

Hi hlngai,
It is clusterrole named cluster-admin, You can check it by hit kubectl get clusterrole -n kube-system | grep cluster-admin

Hi hlngai,

It also depends on the kubernetes context set for the namespace. As the roles will be namespaced objects.