updated rbac doc, added reference

Author: initcron

chapters/configuring_authentication_and_authorization.md

@@ -1,25 +1,95 @@
-# Configuring Authentication and Authorization
-Let us assume a scenario, where a cluster admin was asked to add a newly joined developer, John, to the cluster. He needs to create a configuration file for John and restrict him from accessing resources from other environments.
+# Kubernetes Access Control:  Authentication and Authorization
 
-## Create namespace for a user(Optional)
+In  this lab you are going to,
 
-Create the **dev** namespace if it has not been created already.
+  * Create users and groups and setup certs based authentication
+  * Create service accounts for applications
+  * Create Roles and ClusterRoles to define authorizations
+  * Map Roles and ClusterRoles to subjects i.e. users, groups and service accounts using RoleBingings and ClusterRoleBindings.
 
-`dev-namespace.yml`
 
-```
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: dev
-  labels:
-    name: dev
-```
-```
-kubectl apply -f dev-namespace.yml
-```
+## How one can access the Kubernetes API?
+
+The Kubernetes API can be accessed by three ways.
+
+  * Kubectl - A command line utility of Kubernetes
+  * Client libraries - Go, Python, etc.,
+  * REST requests
+
+## Who can access the Kubernetes API?
+
+Kubernetes API can be accessed by,
+
+  * Human Users
+  * Service Accounts  
+
+Each of these topics will be discussed in detail in the later part of this chapter.
+
+## Stages of a Request
+
+When a request tries to contact the API , it goes through various stages as illustrated in the image given below.
+
+  ![request-stages](images/access-control.svg)
+  <sub>[source: official kubernetes site](https://kubernetes.io/docs/home/)</sub>
+
+
+### Stage 1: Authentication
+
+  * Authentication operation checks whether the *user/service account* has the permission to talk to the api server or not.  
+  * Authentication is done by the authentication modules which are configured with the api server.  
+  * Cluster uses with one or more authentication modules enabled.  
+  * If the request fails to authenticate itself, it will be served with **401 error**.  
+
+#### Authentication for Human  Users
+
+  * Kubernetes uses **usernames** for access control.  
+  * But it neither has an api object nor stores information about users in its data store.  
+  * Users need to be managed externally by the cluster administrator.  
+
+#### Authentication for Service Accounts
+
+  * Unlike user accounts, service accounts are managed by Kubernetes.  
+  * *service accounts* are bound to specific namespaces.  
+  * Credentials for *service Accounts* are stored as *secrets*.  
+  * These secrets are mounted to pods when a deployment starts using the Service Account.  
+
+### Stage 2: Authorization
+
+  * After a request successfully authenticated, it goes through the authorization process.
+  * In order for a request to be authorized, it must consist following attributes.
+    * Username of the requester(User)
+    * Requested action(Verb)
+    * The object affected(Resource)
+  * Authorization is done by the following modules. Each of these modules has a special purpose.
+    * Attribute Based Access Control(ABAC)
+    * Role Based Access Control(RBAC)
+    * Node Authorizer
+    * Webhook module
+  * If a request is failed to get authorized, it will be served with **403 error**.
+  * Among these modules, RBAC is the most used authorizer while,
+    * ABAC is used for,
+      * Policy based, fine grained access control
+      * The caveat is api server has to be restarted whenever we define a ABAC policy
+    * Node Authorizer is,
+      * Enabled in all the worker nodes
+      * Grants access to kubelet for some of the resources.
+  * We have already talked about the user in detail. Now lets focus on **verbs** and **resources**
+  * We will talk about RBAC in detail in the later part
+
+### Stage 3: Admission Control
+  * Admission control part is taken care of by the software modules that can modify/reject requests.
+  * Admission control is mainly used for fine-tuning access control.
+  * Admission control can directly act on the object being modified.
+
+
+## Role Based Access Control (RBAC)
+
+| Group     | User     |  Namespace     |  Resources     |  
+| :------------- | :------------- |  :------------- | :------------- |   
+| ops       | maya       | all | all |  
+| dev       | kim       | instavote | pods, deployments, statefulsets, configmaps, secrets, services, jobs, crons  |  
+
 
-## Create the user credentials
 Generate the user's private key
 ```
 openssl genrsa -out john.key 2048
@@ -78,25 +148,6 @@ roleRef:
 kubectl create -f dev-rolebinding.yaml
 ```
 
-## Kubernetes Access Control
-In this chapter, we will see about how to use authentication and authorisation of Kubernetes.
-## How one can access the Kubernetes API?
-The Kubernetes API can be accessed by three ways.
-  * Kubeclt - A command line utility of Kubernetes
-  * Client libraries - Go, Python, etc.,
-  * REST requests
-
-## Who can access the Kubernetes API?
-Kubernetes API can be accessed by,
-  * Human users
-  * Service Accounts
-Each of these topics will be discussed in detail in the later part of this chapter.
-
-## Stages of a Request
-When a request tries to contact the API , it goes through various stages as illustrated in the image given below.
-
-![request-stages](images/access-control.svg)
-<sub>[source: official kubernetes site](https://kubernetes.io/docs/home/)</sub>
 
 ### TLS in Kubernetes
 Kubernetes API typically runs on two ports.
@@ -107,44 +158,6 @@ Kubernetes API typically runs on two ports.
     * TLS Enabled.
     * Available for kubectl and others.
 
-### Stage 1: Authentication
-  * Authentication operation checks whether the *user/service account* has the permission to talk to the api server or not.
-  * Authentication is done by the authentication modules which are configured with the api server.
-  * Cluster uses with one or more authentication modules enabled.
-  * If the request fails to authenticate itself, it will be served with **401 error**.
-
-#### Authentication for Normal User
-  * Kubernetes uses **usernames** for access control.
-  * But it neither has an api object nor stores information about users in its data store.
-  * Users need to be managed externally by the cluster administrator.
-
-#### Authentication for Service Accounts
-  * Unlike user accounts, service accounts are managed by Kubernetes.
-  * *service accounts* are bound to specific namespaces.
-  * Credentials for *service Accounts* are stored as *secrets*.
-  * These secrets are mounted to pods when a deployment starts using the Service Account.
-
-### Stage 2: Authorization
-  * After a request successfully authenticated, it goes through the authorization process.
-  * In order for a request to be authorized, it must consist following attributes.
-    * Username of the requester(User)
-    * Requested action(Verb)
-    * The object affected(Resource)
-  * Authorization is done by the following modules. Each of these modules has a special purpose.
-    * Attribute Based Access Control(ABAC)
-    * Role Based Access Control(RBAC)
-    * Node Authorizer
-    * Webhook module
-  * If a request is failed to get authorized, it will be served with **403 error**.
-  * Among these modules, RBAC is the most used authorizer while,
-    * ABAC is used for,
-      * Policy based, fine grained access control
-      * The caveat is api server has to be restarted whenever we define a ABAC policy
-    * Node Authorizer is,
-      * Enabled in all the worker nodes
-      * Grants access to kubelet for some of the resources.
-  * We have already talked about the user in detail. Now lets focus on **verbs** and **resources**
-  * We will talk about RBAC in detail in the later part
 
 #### Verbs
   * Verbs are the **action** to be taken on resources.
@@ -161,10 +174,6 @@ Kubernetes API typically runs on two ports.
   * Resources are the object being manipulated by the verb.
   * Ex: pods, deployments, service, namespaces, nodes, etc.,
 
-### Stage 3: Admission Control
-  * Admission control part is taken care of by the software modules that can modify/reject requests.
-  * Admission control is mainly used for fine-tuning access control.
-  * Admission control can directly act on the object being modified.
 
 ## Role Based Access Control (RBAC)
   * RBAC is the most used form of access control to **grant or revoke** permissions to users.

chapters/rbac-resource-group-mapping.md

@@ -0,0 +1,29 @@
+# RBAC Reference
+
+### kubernetes Instances Configuration
+## GCP
+
+NUMBER OF NODE-SIZE |INSTANCE TYPE   |CPU|MEMORY   
+-------------------- | ------------- | ----- | -----------  
+| 1-5                | n1-standard-1  | 1 |3.75  |  
+|6-10                | n1-standard-2  | 2 |7.50  |  
+|11-100              | n1-standard-4  | 4 |15    |
+|101-250             | n1-standard-8  | 8 |30    |
+|251-500             | n1-standard-16 | 16|60    |
+|more than 500       | n1-standard-32 | 32|120   |
+
+## AWS
+| NUMBER OF NODE_SIZE   |INSTANCE TYPE   |CPU|MEMORY
+|--------------------|-----------------|----|---------
+| 1-5                | m3.medium      | 1 | 3.75 |
+|6-10                | m3.large       | 2 | 7.50 |
+|11-100              | m3.xlarge      | 4 | 15   |
+|101-250             | m3.2xlarge     | 8 | 30   |
+|251-500             | c4.4xlarge     | 8 | 30   |
+|more than 500       | c4.8xlarge     | 16| 60   |
+
+## api groups and resources
+
+| apiGroup     | Resources     |
+| :------------- | :------------- |
+| apps      |   daemonsets, deployments, deployments/rollback, deployments/scale, replicasets, replicasets/scale, statefulsets, statefulsets/scale     |

mkdocs.yml

@@ -26,6 +26,8 @@ pages:
      - Ingress Controllers: "ingress.md"
   - Additional Topics:
      - Troubleshooting Tips: "12_troubleshooting.md"
+  - References:
+     - RBAC apiGroups to Resource Mapping: "rbac-resource-group-mapping.md"
 docs_dir: chapters
 theme: readthedocs
 plugins: