c2sr bootcamp docs Help

Task 6: Create a deployment Role in Kubernetes

In this guide, you will define a Role object that grants permissions specifically for creating and managing Deployment resources within a namespace. You will construct a YAML manifest file for this Role and then apply it to the cluster using kubectl.

Before you start

It is essential that your team is prepared for this verification process.

Make sure that:

  • Task 5 (node verification) has been successfully completed.

  • The cluster is healthy with the control plane and worker nodes in a Ready state.

  • Ensure you are logged in to the control plane node, under the k3s user and in screen session (screen -x group_session).

How to use Role-Based Access Controls (RBAC) in Kubernetes

Set up RBAC by creating the c2sr-sa service account, applying the necessary ClusterRole and ClusterRoleBinding, assigning a service account token, and configuring GHCR secrets.

Step 1: Create a cluster role

Using a text editor like vim or nano, create a new file named cluster-role.yaml and paste the following content into it.

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: c2sr-deployment-role rules: - apiGroups: [""] resources: - endpoints - nodes/metrics - nodes/proxy - nodes/stats verbs: - get - list - watch # Core API group resources - apiGroups: - '' resources: - namespaces - services - secrets - persistentvolumeclaims - pods - pods/exec - nodes - serviceaccounts - configmaps - persistentvolumes verbs: - create - delete - deletecollection - get - list - patch - update - watch # RBAC API group resources - apiGroups: - rbac.authorization.k8s.io resources: - clusterroles - clusterrolebindings verbs: - create - delete - deletecollection - get - list - patch - update - watch # Apps and Networking resources - apiGroups: - apps - networking.k8s.io resources: - daemonsets - namespaces - deployments - replicasets - ingresses - services - secrets verbs: - create - delete - deletecollection - get - list - patch - update - watch # Batch resources - apiGroups: - batch resources: - jobs verbs: - create - delete - deletecollection - get - list - patch - update - watch

Step 2: Apply the Cluster Role

kubectl apply -f cluster-role.yaml

Expected output:

clusterrole.rbac.authorization.k8s.io/c2sr-deployment-role created

Step 3: Verify the cluster role

kubectl get clusterrole

Expected Output:

NAME CREATED AT admin 2025-06-19T15:39:07Z c2sr-deployment-role 2025-06-20T02:43:22Z cluster-admin 2025-06-19T15:39:07Z clustercidrs-node 2025-06-19T15:39:13Z edit 2025-06-19T15:39:07Z k3s-cloud-controller-manager 2025-06-19T15:39:11Z

Seeing your role listed alongside the default system roles (admin, cluster-admin, etc.) confirms that the apply command was successful and Kubernetes has stored your new role definition.

Step 4: Create a cluster role binding

kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: c2sr-role-binding subjects: - kind: ServiceAccount name: c2sr-sa namespace: default roleRef: kind: ClusterRole name: c2sr-deployment-role apiGroup: rbac.authorization.k8s.io

Step 5: Apply the cluster role binding

kubectl apply -f cluster-role-binding.yaml

Expected output:

clusterrolebinding.rbac.authorization.k8s.io/c2sr-role-binding created

Step 6: Verify the ClusterRoleBinding Creation

Confirm that the ClusterRoleBinding was created successfully and is linking the correct role to your service account.

kubectl get clusterrolebinding c2sr-role-binding

Expected output:

NAME ROLE AGE c2sr-role-binding ClusterRole/c2sr-deployment-role 62s

What to Look For:

  • NAME: Confirms your binding c2sr-role-binding exists.

  • ROLE: This is the key validation. It shows that your binding is correctly referencing the ClusterRole named c2sr-deployment-role.

This confirms that the c2sr-sa service account now has all the permissions defined in your ClusterRole across the entire cluster.

Step 6: Create the Service Account

This command will create the c2sr-sa service account.

kubectl create serviceaccount c2sr-sa

Expected output:

serviceaccount/c2sr-sa created

Step 7: Service account verification

You can quickly verify that the service account now exists.

kubectl get serviceaccount c2sr-sa

Expected output:

NAME SECRETS AGE c2sr-sa 0 15s

Step 8: Service token creation

Create sa-token.yaml with the following content.

apiVersion: v1 kind: Secret type: kubernetes.io/service-account-token metadata: name: c2sr-sa-token annotations: kubernetes.io/service-account.name: c2sr-sa

Expected output:

secret/c2sr-sa-token created

Step 9: Validate Service Account Token Creation

This command verifies that the Secret object for the token was created correctly and is associated with your service account.

kubectl get secret c2sr-sa-token

Expected Output:

NAME TYPE DATA AGE c2sr-sa-token kubernetes.io/service-account-token 3 24m

What to Look For:

  • NAME: Confirms the secret c2sr-sa-token exists.

  • TYPE: Verifies that it is the correct type, kubernetes.io/service-account-token.

  • DATA: Shows the number of data entries within the secret (typically token, ca.crt, and namespace).

Step 10: Get the c2sr-sa-token to use for deployment

kubectl get secret c2sr-sa-token -o yaml

Expected output:

apiVersion: v1 data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUzTlRBek5EYzFORE13SGhjTk1qVXdOakU1TVRVek9UQXpXaGNOTXpVd05qRTNNVFV6T1RBegpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUzTlRBek5EYzFORE13V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFUS0Z4MVNMcEd1elN4TzU0cUJZQmZxVG45eHQwMUlYa1RyQVhpbjdrOUsKUXlTdEkvWlcycm9nK3g1OUJGeU5DR2xpcmlhd204QXJuUnZwMExrcUhmQUlvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTliRnJhRGIvMGlNRng3cXlqODJQCnhaMlRROGN3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUlnUk4vdE1iYVlXODk4WnNNa2ZJZG5Ma1V2ZFdRRmd5SkgKSG1pY3lLdWw4Mm9DSVFEazU5akJyL1BZc09JOXZ4T1Fub2ovMzJScmNLaG9wM3BuWWxzYmFCNStBZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K namespace: ZGVmYXVsdA== token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklrVnVlRWhuUjNGTldWWm5PVXgyTlRBMmFuTnpYMmx2Y0dVMlptRmxOaTFMV1hwdFdpMVVWRUpSU1VraWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbU15YzNJdGMyRXRkRzlyWlc0aUxDSnJkV0psY201bGRHVnpMbWx2TDNObGNuWnBZMlZoWTJOdmRXNTBMM05sY25acFkyVXRZV05qYjNWdWRDNXVZVzFsSWpvaVl6SnpjaTF6WVNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExuVnBaQ0k2SWpObU1ESTRPV1JsTFRZMFpEZ3ROREF6WkMwNU5USTNMVE5qT0RkaE9ESm1ObVU1TWlJc0luTjFZaUk2SW5ONWMzUmxiVHB6WlhKMmFXTmxZV05qYjNWdWREcGtaV1poZFd4ME9tTXljM0l0YzJFaWZRLkdUNjBzMlFRdUI0V3RuQjFHX1RxbzJtMWZXR3RWSjViV0EtbFk2SUYxZWQ2RWdIa1FFaHk3cjF4SjF4S20tSV9iYkozb2lvLWRuaVcxVU9yTHJ5NWx4TU5xUTZ1aEU0ZFNQSVBjZjZzN1dqeEdaRGRJQk1JbG9pUlZUUllmNTZreWptbWw1aWJQQ0tMMmJ6enBEQWZ0aUUzYW10RG5xVVFDMlJIMDZ0WWZBN2NEbmVBT2twSFBieGhWc2tHRjd2WmdXVXhRM0lIdzZmamlUSHdhSVljZFk3U3V0WXVFazhsYlFLRmFLRmpwcmQ2Zk1wN2FsMXhMTVB6VG1iT3NwNVM5RmFBcG9HS2EwdnV5UU5COHNVcXJhOWNQakcyakJUY21HcTZKNkU3RmJsaVNJbGRHdlZXVzNEMmRBSTlUT0tJVW1Na0ZjeTZXSGIyTjRIZjNPS2U4UQ== kind: Secret metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{"kubernetes.io/service-account.name":"c2sr-sa"},"name":"c2sr-sa-token","namespace":"default"},"type":"kubernetes.io/service-account-token"} kubernetes.io/service-account.name: c2sr-sa kubernetes.io/service-account.uid: 3f0289de-64d8-403d-9527-3c87a82f6e92 creationTimestamp: "2025-06-20T03:39:07Z" name: c2sr-sa-token namespace: default resourceVersion: "16790" uid: 0914821e-1612-4aa6-9527-5deaa5405f63 type: kubernetes.io/service-account-token

Accomplishments

  • Custom ClusterRole Defined: A new, cluster-wide set of permissions (c2sr-deployment-role) was successfully created and applied, defining a reusable set of extensive permissions for deployment tasks.

  • Service Account Provisioned: A dedicated identity for automation, the c2sr-sa ServiceAccount, was successfully created within the default namespace.

  • RBAC Permissions Granted: A ClusterRoleBinding was created to successfully link the c2sr-deployment-role to the c2sr-sa ServiceAccount, granting it the defined permissions across the entire cluster.

  • Authentication Token Generated: A non-expiring token Secret was created and associated with the c2sr-sa ServiceAccount, providing a durable credential required for external systems to authenticate.

  • Credentials Retrieved: The full secret object, including the authentication token, has been retrieved and saved for use in the next stage of the project.

The cluster's Role-Based Access Control (RBAC) system has been successfully configured to support external automation. A complete security principal—consisting of an identity (ServiceAccount), permissions (ClusterRole), a link between them (ClusterRoleBinding), and a credential (Secret token)—is now fully provisioned.

The system is prepared for the integration of a CI/CD pipeline, which can now be configured with the retrieved token to securely authenticate and manage deployments on the cluster.

Reflection

Please take a moment to write down any questions, issues, or doubts you encountered during this milestone.
This will help guide the next discussion and ensure everyone is on the same page before moving forward.

Next Steps

  • All group members should have a copy of the c2sr-sa-token yaml. It will be used in the next tasks.

  • exit (ctrl + a then d) from the screen session.

  • exit from the ssh session on the control plane.

  • Return to the terminal on your computer.

  • Rejoin the common Discord lobby to await further instructions or support your peers.

Last modified: 23 June 2025
Task 5: Add and verify the nano worker nodeTask 7: Deploying an Application with GitHub Actions