RBAC question

General Discussions
1

Dear All,

Cluster information:

Kubernetes version:1.21.4
Cloud being used: (put bare-metal if not on a public cloud) : On-Premise
Installation method: Manual installation
Host OS: Centos8

I have a deployment which exposes an API endpoint via the service (NodePort) resource. If I do a simple curl https://node-ip:30010 , I can see everything and till this point it works fine.
Now, how can I restrict access to this API endpoint using the Kubernetes resources so that only a particular user can query this and not everybody ?

2

Ey Marco:

RBAC controls access to the API Kubernetes:

RBAC authorization uses the rbac.authorization.k8s.io API group to drive authorization decisions, allowing you to dynamically configure policies through the Kubernetes API.

Your application exposes the endpoint in https://node-ip:30010, so requests to this endpoint are handled by your application.

Assuming your applications does not handle any form of access control and that you want to use Kubernetes API Objects, you may take a look at using a Ingress Controller: Basic Authentication - NGINX Ingress Controller (kubernetes.github.io)

Hope it helps!

Xavi

3

a couple of suggestions:

  1. you can use networkPolicies to restrict by IP.
  2. in order to enforce access by user I would use an ingress point (for example nginx ingress controller and expose an ingress) and there you can add more control on HTTP requests.
  3. once you use an ingress you can choose which urls are accessible through the ingress (exposed outside instead of using a NodePort) and which wil be accessible only from within the SDN (ClusterIP service).