You are a container engineer at Cube4Lyf, an e-gaming platform geared towards puzzle and logic games. As their Kubernetes implementation matures, their security team is calling for more granular user access policies that adhere to the Principle of Least Privilege.
The team has created a role to restrict the Dev user to read/write permissions in the development namespace, read-only rights in the productions namespace, and no access to the monitoring namespace in the cluster. However, users are reporting more access than intended.
You will need to troubleshoot the policy and role bindings to ensure this granular access is enforced in the cluster.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Objective 1
Correct the configuration of the
deployment-userrole and role binding so that it only allows those actions in the development namespace.- Objective 2
Restore read-only permissions for the production namespace to the dev user.
Notes
Read-only role:apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: production name: prod-read rules: - apiGroups: [""] resources: ["pods", "deployments"] verbs: ["get", "watch", "list"]Read-only role binding:
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: prod-read namespace: production subjects: - kind: User name: dev apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: prod-read apiGroup: rbac.authorization.k8s.io
