# Permission manager : RBAC management for Kubernetes


Photo by Kyle Glenn on Unsplash

Came across a GitHub repository implemented by the awesome folks at [Sighup.IO](https://sighup.io/) for managing user permissions for Kubernetes cluster easily via web UI.

GitHub Repo : [https://github.com/sighupio/permission-manager](https://github.com/sighupio/permission-manager)

With Permission Manager, you can create users, assign namespaces/permissions, and distribute Kubeconfig YAML files via a nice&easy web UI.
The project works on the concept of templates that you can create and then use that template for different users.Template is directly proportional to clusterrole. 
In rder to create a new template you need to defile a clusterrole with prefix `template-namespaces-resources__`. The default template are present in the k8s/k8s-seeds directory.

Example template:

```
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: template-namespaced-resources___developer
rules:
  - apiGroups:
      - "*"
    resources:
      - "configmaps"
      - "endpoints"
      - "persistentvolumeclaims"
      - "pods"
      - "pods/log"
      - "pods/portforward"
      - "podtemplates"
      - "replicationcontrollers"
      - "resourcequotas"
      - "secrets"
      - "services"
      - "events"
      - "daemonsets"
      - "deployments"
      - "replicasets"
      - "ingresses"
      - "networkpolicies"
      - "poddisruptionbudgets"
      # - "rolebindings"
      # - "roles"
    verbs:
      - "*"
```


Let us now deploy it on Katakoda kubernetes playground and see the permission checker in action.

**Step1:** Open [https://www.katacoda.com/courses/kubernetes/playground](https://www.katacoda.com/courses/kubernetes/playground)

**Step 2:** git clone [https://github.com/sighupio/permission-manager.git](https://github.com/sighupio/permission-manager.git)

**Step3: Change the deploy.yaml file**

```
master $ kubectl cluster-info
Kubernetes master is running at [https://172.17.0.14:6443](https://172.17.0.14:6443)
```


update the deployment file “k8s/deploy.yaml” with the CONTROL_PLANE_ADDRESS from the result of the above command.

```
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: permission-manager
  name: permission-manager-deployment
  labels:
    app: permission-manager
spec:
  replicas: 1
  selector:
    matchLabels:
      app: permission-manager
  template:
    metadata:
      labels:
        app: permission-manager
    spec:
      serviceAccountName: permission-manager-service-account
      containers:
        - name: permission-manager
          image: quay.io/sighup/permission-manager:1.5.0
          ports:
            - containerPort: 4000
          env:
            - name: PORT
              value: "4000"
            - name: CLUSTER_NAME
              value: "my-cluster"
            - name: CONTROL_PLANE_ADDRESS
**              value: "https://172.17.0.14:6443"
**            - name: BASIC_AUTH_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: auth-password-secret
                  key: password

---
apiVersion: v1
kind: Service
metadata:
  namespace: permission-manager
  name: permission-manager-service
spec:
  selector:
    app: permission-manager
  ports:
    - protocol: TCP
      port: 4000
      targetPort: 4000
**  type: NodePort**
```


**Step4: Deploy the manifests**

```
cd permission-manager

master $ kubectl apply -f k8s/k8s-seeds/namespace.yml
namespace/permission-manager created

master $ kubectl apply -f k8s/k8s-seeds
secret/auth-password-secret created
namespace/permission-manager unchanged
clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___operation created
clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___developer created
clusterrole.rbac.authorization.k8s.io/template-cluster-resources___read-only created
clusterrole.rbac.authorization.k8s.io/template-cluster-resources___admin created
rolebinding.rbac.authorization.k8s.io/permission-manager-service-account-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/permission-manager-service-account-rolebinding created
serviceaccount/permission-manager-service-account created
clusterrole.rbac.authorization.k8s.io/permission-manager-cluster-role created
customresourcedefinition.apiextensions.k8s.io/permissionmanagerusers.permissionmanager.user created

master $ kubectl apply -f k8s/deploy.yaml
deployment.apps/permission-manager-deployment created
service/permission-manager-service created
```


**Step5: Get the NodePort and open UI using Katakoda**

```
master $ kubectl get svc -n permission-manager
NAME                         TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
permission-manager-service   NodePort   10.104.183.10   <none>        4000:**31996**/TCP   9m40s
```


n order to open port from Katakoda click on the + and select View HTTP port 8080 on Host 1 and change the port to **31996**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1621076428252/bdEnUD1q-.png)

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1621076430205/ykRyoi7qt.png)

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1621076431966/gXaNdwGt9.png)

Enter the username and password : 
username: `admin`
password: 1v2d1e2e67dS 
You can change the password in k8s/k8s-seeds/auth-secret.yml file.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1621076433792/vCEGJjgD4.png)

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1621076436095/9OJyQ5-um.png)

Now Let us create some users and assign one of the default template.

![User Test1 with permission as a developer in permission-manager namespace](https://cdn.hashnode.com/res/hashnode/image/upload/v1621076438114/PHJemWtYV.png)*User Test1 with permission as a developer in permission-manager namespace*

Let us download the kubeconfig file and test the permissions:

```
**master $ kubectl --kubeconfig=/root/permission-manager/newkubeconfig get pods
**Error from server (Forbidden): pods is forbidden: User "test1" cannot list resource "pods" in API group "" in the namespace "default"
**master $ kubectl --kubeconfig=/root/permission-manager/newkubeconfig get pods -n permission-manager
**NAME                                             READY   STATUS    RESTARTS   AGE
permission-manager-deployment-544649f8f5-jzlks   1/1     Running   0          6m38s

master $ kubectl get clusterrole | grep template
template-cluster-resources___admin                                     7m56s
template-cluster-resources___read-only                                 7m56s
template-namespaced-resources___developer                              7m56s
template-namespaced-resources___operation                              7m56s

```


![](https://cdn.hashnode.com/res/hashnode/image/upload/v1621076440282/Xp-fHHMpM.png)

**Summary**: With permission checker you can easily create multiple users and give permission for specific resources in specific namespace using custom-defined templates.

## About Saiyam

Saiyam is a Software Engineer working on Kubernetes with a focus on creating and managing the project ecosystem. Saiyam has worked on many facets of Kubernetes, including scaling, multi-cloud, managed kubernetes services, K8s documentation and testing. He’s worked on implementing major managed services (GKE/AKS/OKE) in different organizations. When not coding or answering Slack messages, Saiyam contributes to the community by writing blogs and giving sessions on InfluxDB, Docker and Kubernetes at different meetups. Reach him on Twitter @saiyampathak where he gives tips on InfluxDB, Rancher, Kubernetes and open source.

## We’re hiring!

We are looking for engineers who love to work in Open Source communities like Kubernetes, Rancher, Docker, etc.

If you wish to work on such projects please do visit our [job offerings page](https://kubernauts.de/en/careers/).
