Improved demo for impersonation

nicholasdille · May 8, 2024 · aea8d4c · aea8d4c
1 parent d3a62c6
commit aea8d4c
Show file tree

Hide file tree

Showing 5 changed files with 105 additions and 105 deletions.
diff --git a/120_kubernetes/rbac/impersonation.demo b/120_kubernetes/rbac/impersonation.demo
@@ -1,16 +1,117 @@
 # Impersonation using RBAC
 
 # Deploy namespace
-kubectl apply -f test-namespace.yaml
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test
+EOF
 
 # Deploy namespace admin
-kubectl apply -f test-admin.yaml
+cat <<EOF | kubectl apply -f -
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: admin
+  namespace: test
+rules:
+- apiGroups:
+  - "*"
+  resources:
+  - "*"
+  verbs:
+  - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: admin
+  namespace: test
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: admin
+subjects:
+- kind: User
+  name: test-admin
+EOF
 
 # Deploy namespace reader
-kubectl apply -f test-reader.yaml
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: reader
+  namespace: test
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: reader
+  namespace: test
+  annotations:
+    kubernetes.io/service-account.name: reader
+type: kubernetes.io/service-account-token
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: reader
+  namespace: test
+rules:
+- apiGroups:
+  - "*"
+  resources:
+  - "*"
+  verbs:
+  - "get"
+  - "list"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: reader
+  namespace: test
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: reader
+subjects:
+- kind: ServiceAccount
+  name: reader
+  namespace: test
+EOF
 
 # Deploy impersonation role
-kubectl apply -f test-impersonation.yaml
+cat <<EOF | kubectl apply -f -
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: admin-impersonator
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - "users"
+  verbs:
+  - "impersonate"
+  resourceNames:
+  - "test-admin"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: admin-impersonator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admin-impersonator
+subjects:
+- kind: ServiceAccount
+  name: reader
+  namespace: test
+EOF
 
 # Create new user in kubeconfig
 TOKEN="$(

diff --git a/120_kubernetes/rbac/test-admin.yaml b/120_kubernetes/rbac/test-admin.yaml
diff --git a/120_kubernetes/rbac/test-impersonation.yaml b/120_kubernetes/rbac/test-impersonation.yaml
diff --git a/120_kubernetes/rbac/test-namespace.yaml b/120_kubernetes/rbac/test-namespace.yaml
diff --git a/120_kubernetes/rbac/test-reader.yaml b/120_kubernetes/rbac/test-reader.yaml