Custom RBAC Access Tokens
Create fine-grained permissions to Namespaces with Roles and RoleBindings
As explained in Manage API Access Tokens, Org Admins usually assign Namespaces to Kubeconfig access tokens.
However, for more flexibility, they can also use role-based access control (RBAC) in CoreWeave Cloud. To do so, the Org Admin creates the access token without any namespace assignment, and then uses a RoleBinding to assign it a Role.
About Roles and RoleBindings
This diagram illustrates the relationship between a Role, a RoleBinding, an Access Token, and a Namespace.
- An Access Token, usually stored in a Kubeconfig, is the credential that identifies the user.
- An Role defines a set of permissions in a namespace.
- A RoleBinding connects the Access Token and the Role to grant access in the Namespace.
This is a simplified description. Roles and RoleBindings are also used for other Kubernetes subjects.
Prerequisites
To complete this guide, the Org Admin must configure a Kubeconfig and set the desired namespace in the current context. All the commands below run in this default configuration, unless overridden with command-line parameters to illustrate RBAC access.
Get started
The first step is to create a new access token without any namespace assignments. Follow the same steps described in Manage API Access Tokens, but do not assign any namespaces. This is the key to creating an RBAC token.
For clarity, this guide refers to the downloaded Kubeconfig file as rbac-kubeconfig.
$mv cw-kubeconfig rbac-kubeconfig
Create a Role
Next, create a Role that can read Pods, but cannot deploy new Pods or read any other resources, such as Secrets.
- Paste the code below into
pod-reader.yaml. - Change
my-namespaceto the desired namespace.
apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:namespace: my-namespace # The desired namespacename: pod-reader # The Role name, which must match in the RoleBindingrules:- apiGroups: [""] # "" indicates the core API groupresources: ["pods"]verbs: ["get", "watch", "list"]
Create the Role in the Namespace, using the Org Admin's Kubeconfig.
$kubectl apply -f pod-reader.yamlrole.rbac.authorization.k8s.io/pod-reader created
Create a RoleBinding
Finally, create a RoleBinding that connects the access token to the Role.
- Paste the code below into
pod-reader-rolebinding.yaml. - Change
my-namespaceto the same namespace in the Role. - Change
my-userto the name found inrbac-kubeconfig, downloaded earlier.
apiVersion: rbac.authorization.k8s.io/v1# This role binding allows a user to read pods in the namespace.# You need to already have created a Role named "pod-reader" in the namespace.kind: RoleBindingmetadata:name: pod-reader-rolebindingnamespace: my-namespace # change this to the desired namespacesubjects:# You can specify more than one "subject"- kind: Username: my-user # Change this to the case-sensitive user name found in KubeconfigapiGroup: rbac.authorization.k8s.ioroleRef:kind: Rolename: pod-reader # The Role name, defined in the RoleapiGroup: rbac.authorization.k8s.io
Apply the RoleBinding to the Namespace, using the Org Admin's Kubeconfig.
$kubectl apply -f pod-reader-rolebinding.yamlrolebinding.rbac.authorization.k8s.io/pod-reader-rolebinding created
Test the access token
Test the RBAC access token to verify that get pods is allowed.
$kubectl get pods --kubeconfig rbac-kubeconfig --namespace my-namespace
--kubeconfigoverrides the Org Admin's configuration.--namespacemust be declared becauserbac-kubeconfighas no Namespace assigned.
If successful, the result should be similar to this, assuming that Pods are deployed in the Namespace.
$kubectl get pods --kubeconfig rbac-kubeconfig --namespace my-namespaceNAME READY STATUS RESTARTS AGEexample1-123456-abcd 1/1 Running 0 12dexample2-123456-abcd 1/1 Running 0 50dexample3-123456-abcd 1/1 Running 1 75d
Test to make sure get secrets is forbidden.
$kubectl get secrets --kubeconfig rbac-kubeconfig --namespace my-namespaceError from server (Forbidden): secrets is forbidden: User "my-user" cannot list resource "secrets" in API group "" in the namespace "my-namespace"
If these tests pass, the RBAC access token is configured properly. Further modification is possible by modifying or creating new Roles, and then changing the RoleBinding as desired. To learn more about the options available for Roles and RoleBindings with RBAC, see these resources at kubernetes.io and cncf.io.
To learn more about RBAC access tokens, see the following resources: