Kubernetes :- Service Account, Cluster Role, Cluster role Binding

Challenge: You have been asked to create a new ClusterRole for a deployment pipeline and bind it to a specific ServiceAccount scoped to a sp...

Challenge:

You have been asked to create a new ClusterRole for a deployment pipeline and bind it to a specific ServiceAccount scoped to a specific namespace.

Task :

Create a new ClusterRole named deployment-clusterrole, which only allows to create the following resource types:
1. Deployment
2.  Stateful Set
3.  DaemonSet
Create a new ServiceAccount named cicd-token in the existing namespace app-team1.
Bind the new ClusterRole deployment-clusterrole to the new ServiceAccount cicd-token, limited to the namespace app-team1.

Solution:

Step 1: Create a namespace app-team1 

            

            kubectl create ns app-team1

Step 2: Create clusterrole deployment-clusterrole with verb create for        Deployment,StatefulSet,DaemonSet resources

    kubectl create clusterrole deployment-clusterrole --verb=create --  resource=Deployment,StatefulSet,DaemonSet -n app-team1 

   Verify ClusterRole is created:

    kubectl get clusterrole deployment-clusterrole -n app-team1 

    kubectl describe clusterrole deployment-clusterrole -n app-team1 

Step 3: Create a service account cicd-token

          kubectl create sa cicd-token -n app-team1

         Verify service account is created:

          kubectl get sa -n app-team1

Step 4: Create a ClusterRoleBinding to bind sa with clusterrole

kubectl create clusterrolebinding deployment-clusterrolebinding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token -n app-team1

   Verify Clusterrolebidning is created

   kubectl get clusterrolebinding -n app-team1

Step 5: Verify the sa has the authorization to create deployment

kubectl auth can-i get deployment --as=system:serviceaccount:app-team1:cicd-token -n app-team1

It should return yes