diff --git a/.infrastructure/security/rbac.yml b/.infrastructure/security/rbac.yml new file mode 100644 index 0000000..94f12d2 --- /dev/null +++ b/.infrastructure/security/rbac.yml @@ -0,0 +1,30 @@ +kind: ServiceAccount +apiVersion: v1 +metadata: + name: secrets-reader + namespace: todoapp + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: secrets-reader-role + namespace: todoapp +rules: +- apiGroups: [""] + resources: ["pods", "secrets"] + verbs: ["list", "get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: secret-reader-binding + namespace: todoapp +subjects: +- kind: ServiceAccount + name: secrets-reader +roleRef: + kind: Role + name: secrets-reader-role + apiGroup: rbac.authorization.k8s.io diff --git a/INSTRUCTION.MD b/INSTRUCTION.MD new file mode 100644 index 0000000..d438a20 --- /dev/null +++ b/INSTRUCTION.MD @@ -0,0 +1,34 @@ +# RBAC for TodoApp + +## 1. Create a Kubernetes cluster: +```bash +kubectl create cluster --config cluster.yml +``` + +## 2. Deploy the application and additional resources: +```bash +./bootstrap.sh +``` + +## 3. Wait for 1-2 minutes for all pods to initialize. Once ready, verify the pod statuses: +```bash +kubectl get pods -n todoapp +``` + +## 4. Connect to a pod: +```bash +kubectl exec -it -n todoapp -- sh +``` + +## 5. Set Up and Execute the cURL Command: +```bash +SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount +APISERVER=https://kubernetes.default.svc +TOKEN=$(cat ${SERVICEACCOUNT}/token) +CACERT=${SERVICEACCOUNT}/ca.crt + +curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/todoapp/secrets +``` + +## 6. Verify the Output. +The response should include the details of the secrets in the todoapp namespace. diff --git a/bootstrap.sh b/bootstrap.sh index 2d534d7..9840a01 100644 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -15,6 +15,8 @@ kubectl apply -f .infrastructure/app/nodeport.yml kubectl apply -f .infrastructure/app/hpa.yml kubectl apply -f .infrastructure/app/deployment.yml +kubectl apply -f .infrastructure/security/rbac.yml + # Install Ingress Controller kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml # kubectl apply -f .infrastructure/ingress/ingress.yml