Severed/Severed-Blog
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e553ef8bce7ed14d486a3b2b7c4caf7473c01984
Severed-Blog/_posts/blog_app/2025-12-27-part-4.md
wboughattas 786a98f4c5 added parts
2025-12-30 23:53:49 -05:00

3.1 KiB
Raw Blame History

layout, title, date, categories, highlight
layout title date categories highlight
post Step 4: RBAC & Security 2025-12-28 06:00:00 -0400
blog_app
true

2025-12-27-part-3

4. Cluster Management & Security

4.1 RBAC: Admin user

In Kubernetes, a ServiceAccount is an identity for a process or a human to talk to the API. We created an admin-user but identities have no power by default. We must link them to a ClusterRole (a set of permissions) using a ClusterRoleBinding.

  • ServiceAccount: Creates the admin-user identity in the dashboard namespace.
  • ClusterRoleBinding: Grants this specific user the cluster-admin role (Full access to the entire cluster).

infra/dashboard/dashboard-admin.yaml:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: admin-user
    namespace: kubernetes-dashboard

4.2 Authentication: Permanent Tokens

Modern Kubernetes no longer generates tokens automatically for ServiceAccounts. To log into the UI, we need a static, long-lived credential.

infra/dashboard/permanent-token.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: admin-user-token
  namespace: kubernetes-dashboard
  annotations:
    kubernetes.io/service-account.name: 'admin-user'
type: kubernetes.io/service-account-token

This creates a Secret of type kubernetes.io/service-account-token. By adding the annotation kubernetes.io/service-account.name: "admin-user", K8s automatically populates the Secret with a signed JWT token that we can use to bypass the login screen.

4.3 Localhost: Ingress & Cookies

The Kubernetes Dashboard requires HTTPS, which creates issues with self-signed certificates on localhost. We need to reconfigure Traefik (the internal reverse proxy bundled with K3s) to allow insecure backends.

Helm & CRDs K3s installs Traefik using Helm (the Kubernetes Package Manager). Usually, you manage Helm via CLI (helm install). However, K3s includes a Helm Controller that lets us manage charts using YAML files called HelmChartConfigs (a Custom Resource Definition or CRD).

This allows us to reconfigure a complex Helm deployment using a simple declarative file.

infra/dashboard/traefik-config.yaml

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    additionalArguments:
      # Tell Traefik to ignore SSL errors when talking to internal services
      - "--serversTransport.insecureSkipVerify=true"

4.4. Stress Testing & Verification

We used Apache Bench (ab) to generate massive concurrency capable of triggering the HPA. This test results in tens of thousands of requests which triggers the RPS rule in out HPA configuration.

# Generate 50 concurrent users for 5 minutes
ab -k -c 50 -t 300 -H "Host: blog.localhost" http://127.0.0.1:8080/
Reference in New Issue View Git Blame Copy Permalink