GitLab Agent for Kubernetes is an integration for the GitLab CI/CD pipeline that provides kubectl access from pipeline jobs, allowing Continuous Deployment into a live Kubernetes Cluster. However, the default role for this Agent is cluster-admin when doing a basic Helm install, which is far too permissive and needs to be scoped down to only … GitLab: least privilege for Kube-API calls from GitLab Agent for Kubernetes
When GCP operations fail due to permissions issues, checking the IAM roles assigned to a user, group, or service account becomes a necessity. When hierarchical projects and organizations are involved it becomes even more complex. This article will show you how to use gcloud at the project and organization level to pull IAM policies for … GCP: listing IAM roles for user, group, and service account in project and organization
The Kubernetes Dashboard provides a convenient web interface for viewing cluster resources. However, if you are logged using a token tied to the ‘cluster-admin’ role, you will have privileges beyond what are typically necessary. In this article, I will show you how to create a ServiceAccount and ClusterRole with limited privileges that can be used … Kubernetes: accessing the Kubernetes Dashboard with least privilege
A Kubernetes Service Account (KSA) can be used to provide least-privileged access to a pod for a cluster that has Role-based access control (RBAC) enabled. This is done by making the KSA the subject in an RBAC role. But it can be challenging to discover and test whether the KSA has the correct set of … Kubernetes: testing RBAC authorization of a Kubernetes Service Account
microk8s is a lightweight Kubernetes deployment by Canonical that is enterprise-grade, yet also compact enough to run on development boxes and edge devices. In this article, I will show you how to deploy a three-node microk8s cluster on Ubuntu nodes that are created using Terraform and a local KVM libvirt provider. Ansible is used for … Kubernetes: microk8s cluster on Ubuntu using Ansible
In a single Ansible playbook, you may wish to apply some roles to all hosts, while limiting other roles to only certain groups. While it is certainly possible to apply a role to all hosts and then use a ‘when’ to filter down to the desired group like below: – hosts: all gather_facts: yes roles: … Ansible: applying roles to certain groups in a single playbook