I am little bit confused in role and rolebinding. According to RBAC Big picture K8s doesn’t support users so how rolebinding attach permission to a specific user if it is not supporting this funtionality. Also K8s authenticate/validate the users using the certificate file so Is we need to create separate certificate file for each user? Please explain.
2 Answers
This took me a while to wrap my head around, but the missing piece is that the users aren’t created or even exist in k8s. In the Demo video, there’s an example with the user mia. The user is actually a certificate (which is less important for your question, but worth noting), which is created and exists entirely on some random linux host Nigel’s on. Kubernetes has no control of the user/cert, didn’t create it, and can’t touch it in any way. What it can do is recognize the user and apply RBAC rules on any requests that come from it.
So TLDR is; Kubernetes doesn’t have users, but it does have permissions for externally controlled users.
Yea, best way to think of it is as roles not users or groups. Like, how your have an EC2 server or a Compute function act on a role or get keys in AWS like IAM authorizes the role to do. Across the control plane there are still services within RBAC being called and they are just not users or groups they use roles to call on various services, functions and machines.