Hello and welcome from Portainer. Adolfo here and  in this video I’m going to talk about Kubernetes  
Hello and welcome from Portainer. Adolfo here and  in this video I’m going to talk about Kubernetes  

RBAC it can be quite challenging managing RBAC  with Kubernetes comes with a certain amount of  
RBAC it can be quite challenging managing RBAC  with Kubernetes comes with a certain amount of  

complexity and a good amount of manual effort and  I’m going to show here two different strategies  
complexity and a good amount of manual effort and  I’m going to show here two different strategies  

that we can use to manage RBAC in Kubernetes  one is using the manual strategy of writing  
that we can use to manage RBAC in Kubernetes  one is using the manual strategy of writing  

gamma files or yammer definitions and the second  one is with Portainer and you'll see how much  
gamma files or yammer definitions and the second  one is with Portainer and you'll see how much  

easier it is to use Portainer and how  much more it makes sense to use Portainer  
easier it is to use Portainer and how  much more it makes sense to use Portainer  

than the traditional YAML missions or YAML files  so let's start by understanding a little bit of  
than the traditional YAML missions or YAML files  so let's start by understanding a little bit of  

the user role concepts in Kubernetes  I want to start with the RBAC roles  
the user role concepts in Kubernetes  I want to start with the RBAC roles  

there's at least four roles that are quite well  known uh the cluster admin he's like a super  
there's at least four roles that are quite well  known uh the cluster admin he's like a super  

user he can do anything in the cluster in terms  of the management of a Kubernetes environment  
user he can do anything in the cluster in terms  of the management of a Kubernetes environment  

the admin role has unlimited read write  access to resources within a namespace  
the admin role has unlimited read write  access to resources within a namespace  

the edit role grants reader access within a given  Kubernetes namespace it cannot view or modify  
the edit role grants reader access within a given  Kubernetes namespace it cannot view or modify  

roles or rule bindings and finally the view which  is like a view access a read-only access control  
roles or rule bindings and finally the view which  is like a view access a read-only access control  

of given namespaces so these are just some  of the well-known roles within Kubernetes  
of given namespaces so these are just some  of the well-known roles within Kubernetes  

uh the other thing I would mention is well what  does this mean in terms of practical challenges  
uh the other thing I would mention is well what  does this mean in terms of practical challenges  

of Kubernetes in terms of RBAC first of all  Kubernetes comes with an RBAC engine but it  
of Kubernetes in terms of RBAC first of all  Kubernetes comes with an RBAC engine but it  

doesn't have a tool to manage RBAC whatsoever that  means that pretty much everything has to be done  
doesn't have a tool to manage RBAC whatsoever that  means that pretty much everything has to be done  

manually and if you need to for instance update a  role of a given user you have to revoke that role  
manually and if you need to for instance update a  role of a given user you have to revoke that role  

and replace it with a new one and if this user has  that for instance more than one role in a given  
and replace it with a new one and if this user has  that for instance more than one role in a given  

cluster through different namespaces or resources  you can very easily make mistakes because  
cluster through different namespaces or resources  you can very easily make mistakes because  

you have to do that per resource in your  cluster that you want to manage via RBAC  
you have to do that per resource in your  cluster that you want to manage via RBAC  

there is no visibility in terms of user access so  there isn't any way of easily identifying which  
there is no visibility in terms of user access so  there isn't any way of easily identifying which  

level the user has within a cluster finally  visibility into cluster configurations  
level the user has within a cluster finally  visibility into cluster configurations  

so Kubernetes also lacks functionality to help  you manage complex RBAC configurations that  
so Kubernetes also lacks functionality to help  you manage complex RBAC configurations that  

means that you're totally on your own when it  comes to keeping track of roles, roles-binding  
means that you're totally on your own when it  comes to keeping track of roles, roles-binding  

cluster roles, cluster roles-bindings, service  accounts, tokens stored in secrets well pretty  
cluster roles, cluster roles-bindings, service  accounts, tokens stored in secrets well pretty  

much everything that you've configured within your  RBAC in Kubernetes to put this in a simple way  
much everything that you've configured within your  RBAC in Kubernetes to put this in a simple way  

Kubernetes RBAC does not provide  much help when it comes to managing  
Kubernetes RBAC does not provide  much help when it comes to managing  

or monitoring your configuration data right let  me start with the first strategy which is using  
or monitoring your configuration data right let  me start with the first strategy which is using  

the manual a way of setting up user roles so  here I have in my environment a micro k8 node
the manual a way of setting up user roles so  here I have in my environment a micro k8 node

and it has it should only have yes it only has  RBAC enabled here so let's start by creating  
and it has it should only have yes it only has  RBAC enabled here so let's start by creating  

a read-only access for a user type I will  pipe this so let me clear the screen here  
a read-only access for a user type I will  pipe this so let me clear the screen here  

and I’m going to pipe this into the  Kubernetes cluster using the create eoi  
and I’m going to pipe this into the  Kubernetes cluster using the create eoi  

piping and this is the role definition it's  read only the namespace is default so any user  
piping and this is the role definition it's  read only the namespace is default so any user  

that is assigned to this role will have this that  will have a role binding of this role will only  
that is assigned to this role will have this that  will have a role binding of this role will only  

have read only access to the default namespace  if I hadn't defined the name of the namespace  
have read only access to the default namespace  if I hadn't defined the name of the namespace  

this would automatically be assigned it to the  defaulting space anyway okay so let me close this  
this would automatically be assigned it to the  defaulting space anyway okay so let me close this  

piping and I have a read-only access definition  created okay so let me assign this to a user
piping and I have a read-only access definition  created okay so let me assign this to a user

okay same thing I’m going to pipe it with Kubectl
okay same thing I’m going to pipe it with Kubectl

stuff
stuff

why
why

as you can see it's a roll binding read  only role binding the name of the user  
as you can see it's a roll binding read  only role binding the name of the user  

okay and oops I have an error this is the how  things start to get challenging when using  
okay and oops I have an error this is the how  things start to get challenging when using  

YAML definitions right okay so  maybe it's because I’m using spaces  
YAML definitions right okay so  maybe it's because I’m using spaces  

and um comments let me try with it with the same  let's say in a sanitized manner without these  
and um comments let me try with it with the same  let's say in a sanitized manner without these  

comments let's try this again Kubectl  create sf minus eli as you can see  
comments let's try this again Kubectl  create sf minus eli as you can see  

this is like sanitized I removed all the  comments and spaces and now it worked  
this is like sanitized I removed all the  comments and spaces and now it worked  

so here's an example of creating a read-only  access and doing a role binding to this definition  
so here's an example of creating a read-only  access and doing a role binding to this definition  

to a given user in this case user name john right  so far um apart from the initial error everything  
to a given user in this case user name john right  so far um apart from the initial error everything  

seems to be fine now let's say I want to create  a read write access to namespace called dev  
seems to be fine now let's say I want to create  a read write access to namespace called dev  

the first thing I have to do is to have to make  sure that the namespace dev exists so Kubectl  
the first thing I have to do is to have to make  sure that the namespace dev exists so Kubectl  

uh get pod all namespaces I’m just bringing  all the namespaces and all the parts and  
uh get pod all namespaces I’m just bringing  all the namespaces and all the parts and  

I only have a Kube system so I have to create  this namespace Kubectl create namespace
I only have a Kube system so I have to create  this namespace Kubectl create namespace

dev okay I’m doing this because I know  that if I don't have this namespace defined  
dev okay I’m doing this because I know  that if I don't have this namespace defined  

I cannot create a role to this given  namespace Kubectl create x f minus a r y  
I cannot create a role to this given  namespace Kubectl create x f minus a r y  

and you can see that the resources that I have  here are slightly different the previous one  
and you can see that the resources that I have  here are slightly different the previous one  

was only get list and watch now I have get  list watch create update patch and delete
was only get list and watch now I have get  list watch create update patch and delete

and it's been successfully created and I want  to add this to a user called feeder as you can  
and it's been successfully created and I want  to add this to a user called feeder as you can  

see this is pretty much the process  of creating roles and role bindings  
see this is pretty much the process  of creating roles and role bindings  

with a specific strategy of uh role types
with a specific strategy of uh role types

with hypertext so here what I’m doing is I’m  doing a read write binding to use repeater nice  
with hypertext so here what I’m doing is I’m  doing a read write binding to use repeater nice  

I think that as things progress you  will understand how complex this becomes  
I think that as things progress you  will understand how complex this becomes  

now I want to create a cluster role binding  for a super user and it's similar to creating  
now I want to create a cluster role binding  for a super user and it's similar to creating  

a role binding to the namespaces but in this case  it's going to be to the cluster create xf minus y
a role binding to the namespaces but in this case  it's going to be to the cluster create xf minus y

and as you can see it's a cluster role now  the name is super user and these are the  
and as you can see it's a cluster role now  the name is super user and these are the  

rules very similar to the previous ones get  list watch create update patch and delete
rules very similar to the previous ones get  list watch create update patch and delete

oh again an error this is when again things start  to get tricky what did I do wrong I’m going to try  
oh again an error this is when again things start  to get tricky what did I do wrong I’m going to try  

to fix this one more time see if I can manage  let's see if it works Kubectl create sef max y
to fix this one more time see if I can manage  let's see if it works Kubectl create sef max y

i think that everything should be fine here  
i think that everything should be fine here  

and it worked and if you look at it I  cannot see the difference between this one  
and it worked and if you look at it I  cannot see the difference between this one  

and this one I swear that I cannot see  the difference but definitely there is one
and this one I swear that I cannot see  the difference but definitely there is one

again challenges of using yellow  definitions I want to finally finish  
again challenges of using yellow  definitions I want to finally finish  

this by assigning this to  a user Kubectl create stuff  
this by assigning this to  a user Kubectl create stuff  

why I hope it works because now I don't know it  worked you have three users Joe John and Peter  
why I hope it works because now I don't know it  worked you have three users Joe John and Peter  

each one has a role in this environment one is  a super user one is a developer that has read  
each one has a role in this environment one is  a super user one is a developer that has read  

write access to a given namespace called dev and  the other one has read-only access to the default  
write access to a given namespace called dev and  the other one has read-only access to the default  

namespace if I want to mix and match things I  have to keep creating these YAML definitions  
namespace if I want to mix and match things I  have to keep creating these YAML definitions  

over and over again for each user for each  role and if I want to create new roles I  
over and over again for each user for each  role and if I want to create new roles I  

have to do this over and over again and keep  creating this and as you can see I just did  
have to do this over and over again and keep  creating this and as you can see I just did  

the piping I have no files written here whatsoever  and I have to make sure I’m storing this somewhere  
the piping I have no files written here whatsoever  and I have to make sure I’m storing this somewhere  

which in this case I did already GitHub  actually I went here and I store these here
which in this case I did already GitHub  actually I went here and I store these here

so imagine that you have more users in your  team next thing you know you have a team of  
so imagine that you have more users in your  team next thing you know you have a team of  

10 developers and you have to make sure that  you know which role each member of your team  
10 developers and you have to make sure that  you know which role each member of your team  

is going to have in which part of your Kubernetes  cluster be that as a cluster role binding or just  
is going to have in which part of your Kubernetes  cluster be that as a cluster role binding or just  

as a role binding to a given namespace or resource  and this is going to start growing and growing 
as a role binding to a given namespace or resource  and this is going to start growing and growing 

and growing every time your team changes  because your team might be project oriented  
and growing every time your team changes  because your team might be project oriented  

um you have to redefine these files  over and over again so this is hard work  
um you have to redefine these files  over and over again so this is hard work  

just by having them stored in a git server in  this case GitHub doesn't mean that you have enough  
just by having them stored in a git server in  this case GitHub doesn't mean that you have enough  

control over what is going on in your environment  so somehow you have to have a control of what is  
control over what is going on in your environment  so somehow you have to have a control of what is  

being assigned to who because again Kubernetes  will not do that for you there's no way to do this  
being assigned to who because again Kubernetes  will not do that for you there's no way to do this  

easily with Kubernetes and then you can you know  use an excel spreadsheet or text file I don't know  
easily with Kubernetes and then you can you know  use an excel spreadsheet or text file I don't know  

whatever you believe is the most appropriate but  then if you're talking about sensitive information  
whatever you believe is the most appropriate but  then if you're talking about sensitive information  

um that you don't want to you know have easily  available you might need to encrypt this file  
um that you don't want to you know have easily  available you might need to encrypt this file  

or you might have to use a database so  basically what I’m trying to show here  
or you might have to use a database so  basically what I’m trying to show here  

is that this is not at all simple so um now  I’m going to do a comparison with Portainer  
is that this is not at all simple so um now  I’m going to do a comparison with Portainer  

so now I’m going to deploy container  business edition on this node  
so now I’m going to deploy container  business edition on this node  

to start showing you how easy it is to use the  RBAC functionalities of Portainer with Kubernetes
to start showing you how easy it is to use the  RBAC functionalities of Portainer with Kubernetes

okay so now let me open my browser I’m going to  define an admin user I’ll just put a doll for  
okay so now let me open my browser I’m going to  define an admin user I’ll just put a doll for  

find a password
find a password

create this user
create this user

um okay and now I need to add a license and now  I can configure my Kubernetes environment here  
um okay and now I need to add a license and now  I can configure my Kubernetes environment here  

I’m going to for now just enable the local storage  
I’m going to for now just enable the local storage  

save the configuration and now I have access to  this Kubernetes cluster let's check the namespaces  
save the configuration and now I have access to  this Kubernetes cluster let's check the namespaces  

that has two namespaces defined uh dev and db  um I have created db previously let me see if  
that has two namespaces defined uh dev and db  um I have created db previously let me see if  

I have users here I only have user adobe as the  administrator let's start by adding users Joe
I have users here I only have user adobe as the  administrator let's start by adding users Joe

I’m not gonna add him as an  administrator just a standard user john
I’m not gonna add him as an  administrator just a standard user john

Mary
Mary

and j
and j

okay so now I have four users to find  and I want to define a team of developers  
okay so now I have four users to find  and I want to define a team of developers  

those would be and I’m going to call this team dev  
those would be and I’m going to call this team dev  

and now I’m going to associate users to this team  I’m going to create the team the team is created  
and now I’m going to associate users to this team  I’m going to create the team the team is created  

I’m going to access the team and  the team members are Jane and john
I’m going to access the team and  the team members are Jane and john

this is how easy it is to define  teams with Portainer it's just  
this is how easy it is to define  teams with Portainer it's just  

you know no coding no YAML definitions nothing so  now I want to make sure that this team has access  
you know no coding no YAML definitions nothing so  now I want to make sure that this team has access  

to the Kubernetes endpoint I could have more  than one endpoint and each endpoint could be  
to the Kubernetes endpoint I could have more  than one endpoint and each endpoint could be  

a representation of a Kubernetes cluster  that could be running locally on the same  
a representation of a Kubernetes cluster  that could be running locally on the same  

machine on my network in a cloud provider  and I could use the same set of users  
machine on my network in a cloud provider  and I could use the same set of users  

throughout all the endpoints being managed by this  potato instance I don't need to recreate the users  
throughout all the endpoints being managed by this  potato instance I don't need to recreate the users  

for each endpoint I have one single set of users  that I define here and manage them across any  
for each endpoint I have one single set of users  that I define here and manage them across any  

number of endpoints defined in this particular  instance so let's say I want to give the dev  
number of endpoints defined in this particular  instance so let's say I want to give the dev  

team access to this endpoint as standard users  what this means is that anyone within the dev  
team access to this endpoint as standard users  what this means is that anyone within the dev  

group is going to have standard user access  to this endpoint um now the namespace dev
group is going to have standard user access  to this endpoint um now the namespace dev

i want to provide access to the dev team  
i want to provide access to the dev team  

and as you can see I only see the dev team as  an option because only this dev team has been  
and as you can see I only see the dev team as  an option because only this dev team has been  

associated to that Kubernetes endpoint so as  you can see it's very easy to manage access to  
associated to that Kubernetes endpoint so as  you can see it's very easy to manage access to  

resources and you know be that as teams be that as  individual users and I’m going to show an example  
resources and you know be that as teams be that as  individual users and I’m going to show an example  

now of individual users that could have access to  different resources within this Kubernetes cluster  
now of individual users that could have access to  different resources within this Kubernetes cluster  

now I have Joe and Joe and Mary haven't been  associated to any resources within this cluster  
now I have Joe and Joe and Mary haven't been  associated to any resources within this cluster  

and when I say resources it could  be endpoints it could be registries
and when I say resources it could  be endpoints it could be registries

or namespaces so let's say I want to  associate to the namespace dp john and Mary  
or namespaces so let's say I want to  associate to the namespace dp john and Mary  

I won't be able to because john and Mary  
I won't be able to because john and Mary  

haven't been associated to any endpoints so I have  to go back to my Kubernetes endpoint and also add
haven't been associated to any endpoints so I have  to go back to my Kubernetes endpoint and also add

john and sorry that's Joe and Mary
john and sorry that's Joe and Mary

is that correct is it Joe Mary no I don't remember  but hey how hard is it to check just go to users  
is that correct is it Joe Mary no I don't remember  but hey how hard is it to check just go to users  

teams dev um yep john and jay so really  Joe and Mary are not part of that team  
teams dev um yep john and jay so really  Joe and Mary are not part of that team  

what does this mean that it's also very easy  to manage users within teams in with Portainer  
what does this mean that it's also very easy  to manage users within teams in with Portainer  

which is something that is not at all easy with  Kubernetes now I have associated Joe and Mary  
which is something that is not at all easy with  Kubernetes now I have associated Joe and Mary  

also to the Kubernetes endpoint so the dev team  Joe and Mary have access to the Kubernetes so  
also to the Kubernetes endpoint so the dev team  Joe and Mary have access to the Kubernetes so  

now on the namespace db I want to uh grant access  to Joe and Mary but they're not here why is that  
now on the namespace db I want to uh grant access  to Joe and Mary but they're not here why is that  

because when I granted access to Joe and Mary  to this Kubernetes endpoint I granted accesses  
because when I granted access to Joe and Mary  to this Kubernetes endpoint I granted accesses  

endpoint administrators meaning that if Joe  and Mary log into their Portainer instance  
endpoint administrators meaning that if Joe  and Mary log into their Portainer instance  

they will automatically see everything within  this Kubernetes environment and it's not what  
they will automatically see everything within  this Kubernetes environment and it's not what  

I want so now I want to update their profiles  to go and say that they are both standard users
I want so now I want to update their profiles  to go and say that they are both standard users

and I’m going to update their profiles again as  you can see updating the roles of a user with  
and I’m going to update their profiles again as  you can see updating the roles of a user with  

Portainer is also very easy I don't need to revoke  the previous role to be able to grant a new one  
Portainer is also very easy I don't need to revoke  the previous role to be able to grant a new one  

and I don't have to write any YAML definitions or  files it's just a matter of by the ui update the  
and I don't have to write any YAML definitions or  files it's just a matter of by the ui update the  

user's role now I can go to this namespace db  and grant access to Joe and Mary now they have  
user's role now I can go to this namespace db  and grant access to Joe and Mary now they have  

user access to this namespace finally I wanted  to show the roles you defined within Portainer  
user access to this namespace finally I wanted  to show the roles you defined within Portainer  

so here when you go to users roles you see each  of the five predefined user roles that are similar  
so here when you go to users roles you see each  of the five predefined user roles that are similar  

to the ones that I described initially in this  video and so for instance if I go to uh user john  
to the ones that I described initially in this  video and so for instance if I go to uh user john  

here on my roles viewer I can see what  endpoint user john is associated to  
here on my roles viewer I can see what  endpoint user john is associated to  

and which role he has in this endpoint which is  also a very interesting feature because as we  
and which role he has in this endpoint which is  also a very interesting feature because as we  

know Kubernetes lacks this type of visibility and  here we can very easily see how this is done with  
know Kubernetes lacks this type of visibility and  here we can very easily see how this is done with  

Portainer in my opinion very clear how much easier  it is to use RBAC with Portainer versus using RBAC  
Portainer in my opinion very clear how much easier  it is to use RBAC with Portainer versus using RBAC  

with the traditional Kubernetes deployment  which would be the manual definition of YAML  
with the traditional Kubernetes deployment  which would be the manual definition of YAML  

uh into your Kubernetes cluster. I hope  you enjoyed this video thank you very much.
uh into your Kubernetes cluster. I hope  you enjoyed this video thank you very much.