Security mit RBAC

openssl genrsa -out chris.key 2048
openssl req -new -key chris.key -out chris.csr -subj "/CN=chris/O=developers"

vim developer-csr.yaml   # CSR-Inhalt und Name eintragen
kubectl apply -f developer-csr.yaml
kubectl get csr
kubectl certificate approve [csr-name]
kubectl get csr
kubectl get csr chris -o jsonpath='{.status}' | jq
kubectl get csr [csr-name] -o jsonpath='{.status.certificate}' | base64 -d > chris.crt
openssl x509 -noout -text -in chris.crt

kubectl config get-contexts
kubectl config get-clusters
kubectl config get-users
kubectl config set-credentials chris --client-certificate=chris.crt --client-key=chris.key
kubectl config set-context developer --cluster=default --user=chris
kubectl config use-context developer

kubectl get nodes    # verboten
kubectl get pods     # verboten
kubectl get secrets  # verboten

kubectl config use-context default

kubectl apply -f developer-role.yaml
kubectl describe roles developer

vim developer-rolebinding.yaml   # Entwickler eintragen
kubectl apply -f developer-rolebinding.yaml
kubectl describe rolebindings developer

kubectl config use-context developer
kubectl get pods     # erlaubt
kubectl get secrets  # verboten
kubectl exec pod/postgres-0 -- env | grep POSTGRES_PASSWORD   # verboten

kubectl config use-context default
kubectl exec pod/postgres-0 -- env | grep POSTGRES_PASSWORD   # erlaubt

kubectl get roles
kubectl get rolebindings
kubectl get clusterroles
kubectl get clusterrolebindings