Admin role of the master in k8s cluster

hlngai · July 19, 2020, 7:24am

Hi all,

I got some question for RBAC in K8s cluster. I have setup one master, and 2 worker nodes(w1,w2).

Question 1:
I can execute the kubectl in master VM (SSH login to the master VM)to retrieve all information of the cluster. So I supposed that there should be a role for the master VM as a admin role in cluster. But I can’t find the role by executing “kubectl get role -A”. Does there any role is created for the master VM?

prasadvrv · July 19, 2020, 6:49pm

Hi,

Me too new to K8s but I’ll try to explain what I understood

All the defaults roles/Clusterroles are created under kube-system namespace automatically at the time of installation, there are few clusterroles/bindings related to admin.

BABY@master-1:~$ kubectl get clusterrole -n kube-system | grep admin
admin 2020-07-09T17:40:02Z
cluster-admin 2020-07-09T17:40:02Z

BABY@master-1:~$ kubectl get clusterrolebinding -n kube-system | grep admin
cluster-admin ClusterRole/cluster-admin 10d

BABY@master-1:~$ kubectl describe clusterrole cluster-admin -n kube-system
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs

. [] [] []
[] [] [*]

BABY@master-1:~$ kubectl describe clusterrolebinding cluster-admin -n kube-system
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace

Group system:masters

So while setting up kubernetes cluster we have to define our admin user in system:masters group by creating TLS certificate

Please refer: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md

The Admin Client Certificate
Generate the admin client certificate and private key:

Generate private key for admin user

openssl genrsa -out admin.key 2048

Generate CSR for admin user. Note the OU.

openssl req -new -key admin.key -subj “/CN=admin/O=system:masters” -out admin.csr

Sign certificate for admin user using CA servers private key

openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out admin.crt -days 1000

Note that the admin user is part of the system:masters group. This is how we are able to perform any administrative operations on Kubernetes cluster using kubectl utility.

Experts please correct me if i’m wrong anywhere. Thanks

Ayman · July 20, 2020, 3:13am

Hi hlngai,
It is clusterrole named cluster-admin, You can check it by hit kubectl get clusterrole -n kube-system | grep cluster-admin

niki.tej.sr · July 21, 2020, 5:40am

Hi hlngai,

It also depends on the kubernetes context set for the namespace. As the roles will be namespaced objects.