Configure RBAC

To let the service account that we have created on the previous step to manipulate the cluster we would need to deploy a RBAC file.

kubectl apply -f cloud-proxy-ui-rbac.yaml --validate

The RBAC file looks like the following and states that cloud-proxy-ui service account has access and can manipulate various Kubernetes resources.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cloud-proxy-ui
rules:
- apiGroups: 
    - ""
    - "apps"
  resources: 
    - namespaces
    - configmaps
    - deployments
    - pods
    - pods/log  
    - secrets
    - services
    - persistentvolumeclaims
  verbs:
    - create
    - get
    - list
    - patch
    - delete

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cloud-proxy-ui
  namespace: default
subjects:
- kind: ServiceAccount
  name: cloud-proxy-ui
  namespace: default
roleRef:
  kind: ClusterRole
  name: cloud-proxy-ui
  apiGroup: rbac.authorization.k8s.io

To check the created ClusterRole and ClusterRoleBinding run kubectl get clusterroles | grep cloud and kubectl get clusterrolebindings | grep cloud respectively. The output will indicate cloud-proxy-ui.

# kubectl get clusterroles | grep cloud
cloud-proxy-ui 2023-05-25T11:09:29Z

# kubectl get clusterrolebindings | grep cloud
cloud-proxy-ui ClusterRole/cloud-proxy-ui 25h

Run the following command to inspect the role binding created. Note that this role binding binds our cloud-proxy-ui service account with its cloud-proxy-ui cluster role.

# kubectl describe clusterrolebinding cloud-proxy-ui
Name:         cloud-proxy-ui
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  cloud-proxy-ui
Subjects:
  Kind            Name            Namespace
  ----            ----            ---------
  ServiceAccount  cloud-proxy-ui  default