►
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
RBAC policies are vital for the correct management of your cluster, as they allow you to specify which types of actions are permitted depending on the user and their role in your organization.
This webinar will go through the essential RBAC concepts and objects in Kubernetes, as well as show some basic use cases.
Examples include:
- Secure your cluster by granting privileged operations (accessing secrets, for example) only to admin users.
- Force user authentication in your cluster.
- Limit resource creation (such as pods, persistent volumes, deployments) to specific namespaces. You can also use quotas to ensure that resource usage is limited and under control.
- Have a user only see resources in their authorized namespace. This allows you to isolate resources within your organization (for example, between departments).
A
All
right
we're
gonna
go
ahead
and
get
started.
Welcome
to
today's
CN
CF
webinar
role-based
access
control,
that's
our
back
policies
in
kubernetes,
I'm,
Jorge,
Castro,
community
manager
at
Hatillo,
and
a
CN
CF
ambassador
I'd,
like
to
thank
everyone
who's
joining
us.
Today
we
like
to
send
a
welcome
to
Javier
Sal
Marin
computer
engineer
bitNami,
who
will
be
our
presenter
today.
We
appreciate
his
expertise
on
access
control
policies
and
kubernetes
with
our
listeners
today,
some
housekeeping
items
before
we
start
so
during
the
webinar.
You
won't
be
able
to
actually
talk
through
the
meeting.
A
So
there's
a
chat
window
at
the
bottom
of
your
client
or
you
can
use
the
Q&A
function.
Click
on
that
and
you'll
be
able
to
drop
your
questions
in
there
or
in
chat
and
we'll
get
to
as
many
as
questions
as
possible
before
at
the
end,
the
session
is
going
to
be
recorded
and
we'll
send
along
a
link
to
that
recording
and
a
link
to
the
slides
from
the
presentation
and
with
that
we'll
hang
it
over
to
Xavier
and
let's
go
ahead
and
get
started.
A
B
You
Jorge,
so
thank
and
hello.
Everyone.
Thank
you
for
joining.
Please
these
online
talk.
So
yesterday
we
went
to
talk
about
our
mock
probate,
assess
control,
I.
Remember
when
most
like,
maybe
one
year
ago,
that,
when
working
with
kubernetes
suddenly
there
was
one
point
where
these
things
they
need
to
be
relatively
easy
to
work
with,
and
suddenly
our
Batcave
and
forum
stack
overflow.
Everything
started
to
appear
with.
B
It
was
like
a
nightmare
because
suddenly,
when
these
policies
were
enabled
by
default,
it
looked
like
nothing
work
and
so
I
think
things
have
changed
a
little
bit,
but
at
least
worth
taking
a
look
and
trying
to
understand
the
concepts
are
behind
this.
Actually,
it's
not
that
difficult
as
it
may
seem,
even
though
I
know
that
most
several
people
may
have
have
many
troubles
with
them,
but
let's
I
would
I
want
to
keep
it
as
simple
as
possible
as
intuitive
as
possible.
So
we
get
to
understand
the
core
concepts.
B
I
will
I
will
I
have
some
slides,
but
I
will
also
go
to
the
council
to
show
some
policies.
Actually
so,
okay
with
that
said,
I'm,
the
way
that
I
want
to
start
is
with
a
really
simple
thing
that
we
may
want
to
do
in
a
great
display
cluster
to
tease
creating
users,
because
I
think
that's
the
perfect
way
to
start,
because
I
can
imagine
that
several
of
you
that
have
played
in
kubernetes
have
worked
with
kubernetes,
especially
mini
q4q
eidm.
B
Your
community
sample
from
minami
may
have
the
deployer
application
may
have
work
with
he'll,
probably
with
what
with
will
work
with
helms
well
here,
but
I'm
sure
that
many
people
have
used
I
have
used
all
the
mystery
there's
full
administrative
credentials.
Does
the
default
credentials
with
mini
cube,
which
means
that
you
can
do
pretty
much
everything
inside
the
cluster.
B
But
if
we
talk
about
thing,
you
know
companies
that
we
make.
If
we
want
to
use
coronaries
in
production,
you
know
inside
a
company
for
something
you
know
me.
We
may
want
to
have
something
a
bit
different.
We
don't
want
to
have
users
to
have
full
privileges
and
because
it
won't
be
something
or
to
have
just
one
account
with
full
primitive
communities.
We
may
want
to
have
a
different
type
of
users.
We
may
want
to
have
different.
A
B
B
B
Then
it
may
be
the
same
for
you,
sir,
so
there
might
be
a
chief
CTL
create
you
sisters
like
we
do
you
CTL
plate
deployment
or
create
a
part,
but
the
thing
is
that,
unfortunately,
that's
not
the
case,
so
we
don't
have
a
Q
CTL,
create
user.
That
would
allow
us
to
today's
computer
everything
because
in
this
sense
for
users,
communities
provide
no
API
object
in
the
sense.
That's
why
they
start
just
like.
We
have
with
path
so
there's
no
user
object
that
can
be
creative,
deleted,
updated
or
read.
B
It's
not
entity
that
will
continue
everything
about
other
user
authentication
or
user
management.
So
there
are
different
options
in
the
sensor:
certificate
based
authentication,
using
tokens
using
basic
authentication
with
username
and
password
away
or
of
to
another
other
options
for
this
online
talk
I
will
just
go
for
some
basic
observable.
Is
the
certificate
based
authentication
so.
B
B
So
basically,
the
idea
that
you
need
to
know
about
certificate
based
authentication
in
communities
is
the
following:
when
you
create
a
cluster
use
immunity
for
you,
the
point
yourself
TKE
or
wherever
the
core
idea
is
that
there
is
one
certificate
authority
in
the
cluster
comprised
of
run
on
a
certificate
and
a
private
key.
This
authority
was
why
do
we
use
this
Authority
we're
going
to
use
this
Authority,
basically
to
create
certificates
that
will
be
accepted
by
the
communities
API?
B
For
example,
open
ssl
of
the
counselor
peak
ki
tokyo,
which
is
using
the
in
one
of
very
well-known
life.
It
is
the
term
that
is
the
hard
way
to
build
your
own
cluster,
but
in
this
session
we
want
to
use
open
SSL,
which
is
widely
available
in
all
namespace
operating
system.
So
nothing
as
the
one
faces
choices
and
when
creating
this
user
certificate,
I
don't
know
if
any.
B
If
people
have
did
you
have
some
students
with
dealing
with
open
SSL,
but
in
this
case
we
only
need
to
take
into
account
two
fields
when
creating
the
user
certificates.
One
is
the
common
name,
because
kubernetes
will
interpret
this
value
as
the
user
and
the
organisation
discriminate.
This
will
interpret
in
Spanish
set
of
values
a
secret.
So
then,
so
just
to
summarize
again
so,
communities
has
no
use
of
death.
Instead
will
read
the
values
from
the
user
certificates
which
will
be
signed
by
the
cluster
authority.
B
B
Basically,
we
will
create
a
private
key
in
the
local
system
and
we'll
create
a
certificate
signed
request.
This
request
will
be
sent
to
the
administrator
and
it
will
be
signed
in
order
to
create
the
certificate
for
each
developer
call
one
in
this
case.
This
is
the
command
I.
Don't
want
to
go
much
into
the
details
to
the
command
will
be.
It
said
that
will
be
available
in
the
key
bleep
up
with
the
samples
but
notice
this
part,
a
common
name,
which
is
the
user
name
and
the
organization
which
is
to
move.
B
B
B
So
what
we
do
is
to
download
to
get
our
certificate
or
public
key,
which
was
locally
created
and
the
certificate
which
was
generated
button
by
the
administrator,
and
with
that
we
create
the
new
information
in
our
community
spline
configuration.
It
is
called
contest,
which
is
just
a
plainly
simple,
which
cluster
I'm
going
to
connect
to
and
with
we
with
with
which
credentials
we're
going
to
connect
the
trust.
So,
first
we
add
information
about
the
kubernetes
cluster
that
we
want
to
connect
to.
B
B
B
B
B
Your
your
team,
starting
to
create
a
request
and
now
I'm,
going
to
see
because
now
I'm
the
developer
they
want
is
requesting
now
I'm
going
to
turn
into
the
administrator.
So
now
the
administrator
will
take
that
C's,
CSR
and
we'll
use
a
sign
that
request
using
the
cluster
Authority
in
the
case
of
mini
cube
is
inside
this
that
Todd
zwillich,
you
folder
and
basically
what
we
do
is
sign
it,
and
now,
in
this
folder
I
got
all
the
information
that
I
require.
B
B
Yes,
so
I
got,
my
private
key
are
my
certificate.
If
we
use
open
SSL
to
look
into
the
contents
of
this
certificate,
we
can
see
a
lot
of
data.
But
here
is
one
of
the
four
bits
of
information
between
certificate.
Wise
was
signed
by
mean
accuser
of
forces
diminutive
cluster.
Under
this
information.
This
is
my
common
name
username
army
group.
So
now
that
I
have
that
I'm
going
to
basically
configure
keeps
ETL
process.
B
My
mini
chief
cluster
in
this
case
I,
don't
need
to
to
add
the
information
about
the
cluster
because
it's
already
alerts,
because
if
I
do
to
CTL
country
that
clusters,
you
can
see
that
there's
already
an
information
about
mini
cube
in
my
client.
If
not,
you
will
have
traveled
so
I
only
need
to
create
to
add
the
new
extensions
to
the
to
my
configuration
so
basically
I'm
going
adding
my
client
certificate
on
my
private
key.
B
B
So
that's
it
now.
If
I
achieve
this
demand
is
in
city
rocket,
complicate
contacts
now
I
can
access
my
mini
Kiev
cluster
in
two
different
ways,
using
my
administrator
credentials,
the
one
that
we
normally
use
and
now
different
another
user,
Cassandra
Cassandra,
which
is
with
the
new
certificates
created.
So
now
when
I
insert
the
cluster
I,
will
I
will
be
able
to
assess
as
administrator
of
this
new
user.
B
So
if
everything's
ready
I'm
going
to
just
try
it
and
see
what
happens
now,
I've
become
the
newly
created
user
and
then
I
went
to
do
the
most
simple
operation
than
most
of
everyone.
Does
the
Heartland
Community
strike
cities,
which
is
to
create
to
get
parts,
and
this
is
what
I
get
since
you
can
see?
I
get
an
error
saying
that
you,
sir
talmidim,
cannot
leave
spots
in
the
same
space.
Namespace
default
what's
happening
here,
so
finish
that
yes,
we've
created
a
user,
but
we
haven't
listen.
B
We
haven't
told
through
hampstead
what
of
kind
of
operations
this
user
can
do
so
by
default,
this
newly
created
user
can't
do
anything
and
they
and
it
makes
sense
if
you
want
to
make
it
secure.
Firstly,
we'll
create
the
user,
and
then
you
decide
what
this
newly
created
user
can
or
can't
do,
makes
sense
right
so
because,
if
I
go
back
to
to
the
other
nut
administrator
credentials,
of
course,
I
can
access
and
get
the
part.
So
this
is
the
part
that
introduces
us
to
our
back.
That's
the
way
I
wanted
to
start
circuitry
user.
B
We
know
we
know
now
how
to
create
a
user.
So
now
we
can
create
multiple
users
and
now
we're
going
to
learn
how
to
define
what
a
user
or
set
of
users
can
or
can't
do
so
I'm
going
to
skip
this
little
testing
part
of
the
scene
and
now,
let's
start
with
role
based
access
control
when
it
comes
to
our
mug,
there's
three
basic
things
that
we
need
to
understand:
three
basic
elements
that
we
meet
you
to
understand
in
clearly
designed
other
arbok
bae
systems.
We
have
button
on
the
subjects.
B
There's
a
set
of
users
right,
we
created
one:
we've
got
human
beings,
we
can
have
processes
in
an
operating
system
processes
in
a
pod,
but
that's
why
we
call
them
started.
So
we
got
users,
that's
something
that
we
are
really
creative.
Then
we
have
something
that
we
already
know
from
this
particular
necklace
resources,
parts
deployments
services,
something
that's
English,
these
rooms
wherever
so
we
got
studies
and
a
set
of
resources,
and
we
have
a
set
of
operations
that
we
can
do
over
the
set
of
resources.
B
B
Well,
with
this
name,
I
didn't
mind
that,
for
we
going
to
them
and
kubernetes
offers
us
API
objects
with
that
objective
to
connect
such
as
our
resources
operations.
So
let's
go
to
the
right-hand
side
of
this
to
the
to
these
two
groups.
First,
the
first
object
that
we
have
internet
is
for
our
bot
is
the
role.
What
does
it
do?
It
connects
these
resources
and
operations,
but
inside
and
main
space.
B
So
what
we
do
is
to
define
a
set
of
operations
that
we
can
do
in
or
a
set
of
resources
inside
and
a
stencil
notice,
these
three
elements
of
operations,
resources
and
matrix.
So
what
we
do
is
just
to
select,
for
example,
part,
please
forget
as
operations
and
we
create
a
role
that
connects
the
two
of
them
percent.
A
B
Resources
and
operations,
so
this
role:
what's
the
Jama,
let's
go
and
take
a
look
at
the
channel
so,
as
always,
we'd
have
kind
of
a
version
metadata,
that's
something
that
appears
every
single
kubernetes
api
object,
and
then
we
have
a
section
called
rules
and
what
really
find
that?
What
do
we
define
there?
Basically
with
resources
and
which
operations
so
resources
and
operations?
Once
again,
if
there's
a
connection
of
the
tooth,
so
basically
in
which
resources
section,
we
need
to
specify
a
name
of
the
resource
and
the
API
group
it
belongs
to.
B
So
we
may
know
Carnegie
software
different
API
groups
and
our
different
API
objects
inside
of
them.
So
how
do
I
know
the
name
of
the
a
API
group?
That's
easy!
You
only
need
to
go
to
the
API
reference
and
take
a
look
go
to
this
link
to
see
if
you'll
see
something
like
paste.
It's
a
fresh
sample
for
the
rule
that
I
want
to
create.
With
these
two
we
to
get
hot,
so
I
will
go
and
say:
okay,
part.
This
is
the
name
of
the
resource
and
the
Google
belongs
to
his
core.
B
B
For
the
other
example,
we
can,
for
every
we
force
every
resource
on
all
the
operations
we
can
use
wildcards,
for
example.
This
is
the
other
sample
that
we
have
well.
So
we
connected
to
of
elements
of
the
groups.
Now
we
need
we're
missing
the
other
one
right
users
subject.
So
how
do
we
connect
the
foodstuff
deaths?
There
is?
B
We
have
now
a
set
of
rows
which
were
net
operation,
some
and
resources,
and
now,
with
role
bindings,
we're
going
to
connect
a
role
to
a
set
of
subjects
after
futures,
for
example,
we
may
want
to
say
all
these
users
from
the
group
death,
for
example,
that's
white
goods
and
you
are
useful,
can
treat
pots,
so
we
connect
in
the
role
with
this
set
of
users
and
the
other
world
rogue.
We
do
have
more
privileges.
We
may
want
to
say
no,
no,
no,
no,
this
one.
We
only
want
to
connect
it
to
this
specific
user.
B
That's
what
we're
going
to
do
with
role
bindings.
So
what's
the
channel
of
the
role
binding
is
just
the
same.
The
same
we
got
the
first
kind,
ok,
bursaries,
metadata
and
now
we're
going
to
specify
which
subjects
we're
going
to
apply
a
single
role,
so
we're
going
to
put
below
our
roll
and
we're
going
to
put
a
certain
subjects.
Above
basically,
in
this
optics
session,
we
when
we
can
put
a
user,
a
group
and
another
one
that
we'll
see
later
on,
but
for
what
we
know
right
now
uses.
B
For
example,
in
the
case
of
be
able
to
read
parts,
we
can
use
the
group,
the
group
that-
and
we
specify
as
well
the
APA
group
this
where
we
can
find
the
object
group,
but
it's
not
enough
to
like
diplomas
and
policies.
Another
is
an
API
entity,
different,
that's
from
the
subjects
and
now
below
we
put
the
role
we
want
to
apply
to
that
group
of
subjects
above
and
it's
just
the
same
so
role
on
the
idea.
So
with
this
we've
connected
useless
resources
and
operations
and
I'm
going
to
show
it
right
now.
B
So
let
me
go
back
to
the
terminal
and
let's
go
to
the
second
section.
So
basically,
we
have
before
that
sorry
that
we
weren't
able
to
access
pause.
So,
let's
go.
What
we're
going
to
do
is
to
allow
this
newly
created
user
to
access
pot,
but
first
only
in
a
specific
main
space,
so
I'm
going
to
create
the
proper
rules.
So
this
the
Samba
user,
can
access
pots
inside
that
the
namespace
test.
B
B
Well,
so
I'm
the
point
list
to
rules,
and
now,
if
I
switch
to
my
new
contacts,
if
I
try
keep
CBL
get
past,
it
will
not
work
because
it's
accessing
the
default
namespace.
But
if
I
try
to
access
the
test
namespace,
you
can
see
that
I
can.
In
this
case,
there
are
no
resources
because
they
are
not
not
parts
deployed,
so
I'm
going.
B
B
So
in
order
to
continue
I'm
going
to
now,
grant
me
the
access
to
do
everything
inside
of
things
things
as
their
other
role
is
also
I'm,
going
back
to
being
the
the
administrator
and
now
I'm
going
to
deploy
the
other
two
rows,
the
one
that
could
do
everything
inside
test
and
to
it
user
to
myself
a
second,
so
I,
don't
think
so
before
them
here.
But
basically,
that's
the
that's.
B
Now,
with
that
I'm
going
to
to
deploy
these
tools
now,
the
rollers
are
the
operations
and
not
the
binding,
and
with
that
now
in
principle,
as
the
user
gets
on
their
own
I
can
do
everything
inside
the
test
namespace.
So
now,
if
I
try
to
deploy,
for
example,
an
Internet
now
I
can't
do
it
because
I
have
the
proper
privileges.
So
I
got
the
proper
set
of
operations
connected
to
my
to
my
subtlest.
Take
some
basically
there
it
is
creating
the
container,
but
what
is
more,
I
can,
for
example,
create
services.
Why?
B
B
So,
as
you
can
see
the
way
that
we
can
start
defining
what
a
set
of
users
can
or
cannot
do
inside
or
clustered
grenades
plastic,
let's
go
a
bit
further,
so
okay,
fine
I'm
able
to
define
whether
user
can
do
in
seven
eight
space.
But
what,
if
I,
want
to
what?
If
I
want
to
be
able
to
define
privileges
that
are
not
in
not
only
to
one
namespace
but
the
whole
cluster,
so
I
may
want
to
first
sample
get
thoughts
inside
potting,
no
namespaces
of
the
cluster
I
want
to
access
resources.
B
Them
do
not
belong
to
a
namespace,
like
notes
notes
to
not
be
known
from
in
space.
In
that
case,
in
order
to
apply
cluster
white
privileges,
we've
got
the
another
to
two
API
objects.
We
have
the
wall
before
now.
We
have
the
cluster
role,
which
is
pretty
much
the
same
as
a
role
but
applied
to
a
whole
cluster
to
all
namespaces
to
all
kind
of
resources.
They
spaced
these
based
resources
or
not.
B
B
So
that's,
as
you
can
see
it's
something
very
similar
to
to
the
role,
but
there's
instead
a
class
for
the
whole
cluster.
So
how
do
we
define
these
Hut's?
The
channel
good
news,
the
general
is
pretty
much
the
same
as
a
mole.
It's
just.
What's
the
only
difference,
obviously,
the
kinds
different
well
money
stolen,
always
plus
a
role,
but
in
this
case
it
doesn't
make
sense
to
put
the
namespace
because
for
the
whole
cluster
right,
but
the
demo
is
just
the
same.
B
So
okay,
now
we
have
a
set
of
operations
of
the
set
of
resources
for
the
whole
cluster.
We
need
to
connect
the
third
group,
the
third
group,
the
users
and
get
if
we
have
role
and
role
binding,
guess
what
we
have
cluster
roles
and
cluster
role,
findings,
which
is
just
the
same
to
connect
cluster
role
to
a
set
of
users,
for
example.
We
may
want
to
that.
All
members
of
the
deaf
group
can
read
all
paths
in
the
cluster
and
we
may
only
want
that.
B
B
Going
to
grant
this
user
access
to
read
pot
in
all
a
cluster,
so
if
we
go
back
to
to
be
in
the
administrator
we're
going
to
apply
now
these
two
channels
first
one
is
we
seen
it
before.
There's
a
cluster
role
very
similar
just
to
get
all
these
pots
and
the
other
one.
The
binding
is
basically
we're
going
to
grant
this
cluster
role
we're
going
to
create
to
the
user
Jason
Marin.
As
you
can
see,
that
new
system
there
exists
one
of
the
concept
that
it's
more
difficult
from
the
standards.
It's
just
three
sets.
B
If
we
understand
as
three
groups,
you
stop
this
resources
and
operations.
This
was
really
smoothly,
so
I'm
going
to
apply
them.
I
apply
the
two,
the
two
Dunlop
depths
and
now
I
go
back
to
my
user.
So
of
course,
I
can
win
everything
for
the
test
in
space,
but
also
I
can
wait
from
the
default
namespace.
Even
from
the
keep
system.
Namespace
now
I
can
read
around
it
with
parts
from
everything,
namespace
kind
of
legal
services.
No
I
can't
because
I
only
have
privileges
to
see
services
in
the
test.
B
This
is
more
for
those
that
want
to
create
havoc
that
cluster
from
scratch
for
a
sample
or
both
may
know
that
cornet
is
by
default,
already
includes
some
cluster
all
bindings,
for
example,
system
basic
user,
which
basically
this
is
the
when
you
try
to
access
the
cluster
without
proper
authentication.
This
ARMA,
who
will
apply,
which
doesn't
allow
you
to
do
I'll
soon,
makes
me
know
operation.
B
B
So
in
in
the
case
of
the
default,
meaning
give
account
of
behalf
when
you,
sir,
that's
the
clue
body
belong
it
to.
So
what
if
we
created
a
user
with
restrictive
permissions?
But
what?
If
you
wanted
to
create
an
admin
user
without
privileges
we
could
create
just
like
we
did
before
a
certificate
request,
but
with
the
group
system
masters
so
easy,
this
you
surf
ID
fault,
we'll
be
able
to
do
everything
in
the
cluster.
B
In
addition,
in
a
cluster
you
can
see
other
classroom
by
means
which
are
made
for
the
different
components
of
the
communities
class
volunteer,
the
shelter
the
proxy,
which
is
out
of
the
scope
of
this
of
this
session.
But
basically
you
can
see
anything
using
keeps
it
yogurt
cluster
role,
I
know,
and
it's
never
wrong.
You
stir
so
I
need
to
go
back
to
the
at
least
written
and
not
try
again,
you
can
see
a
list
of
you
of
already
mine
everywhere
in
the
cluster.
We
can
see
a
lot
of
pen.
B
B
Well,
this
is,
as
we
know,
for
creating
a
deployment,
but
it,
but
we
know
as
well
that
deployment
will
create
stateful
sets
and
obstacles
in
our
own
replica
sets.
That
will
also
create
parts
right.
So
do
we
need
to
have
privileges
for
all
of
these
resources.
We
need
to
be
able
to
create
it
for
part
represents
deployments,
but
it
seems
what
makes
sense
is
that
for
this
command.
We
need
to
be
able
to
create
two,
but
let's
see
what?
B
Basically,
you
know
the
traffic
give
this
command.
You
only
need
to
create
to
have
privileges
to
create
deployments.
That's
everything
you
need
another
one.
So
if
you
want
to
get
deployments
just
like
get
parties,
one
is
must
be
similar
to
one
that
we
internet
before
right,
but
notice
that
we
I
added
also
the
mask
W
option
with
this
for
waiting
and
if
what
just
constantly
the
evolution
of
all
of
these
deployments
right.
So
we
know
that,
in
order
to
get
information
for
a
single
appointment,
we
will
use
the
get
birth
for
listing.
B
All
the
deployments
will
use
the
list
and
also
for
for
waiting
for
I'm
watching
the
status
we
need
to
miss
Freebirds
I
continued.
So
what?
If
you
want
to
delete
a
deployment
from
this
list,
it
looks
clear
that
we
need
to
have
two
to
be
able
to
delete
a
deployment,
but
also
not
only
to
delete
also
to
get
because
in
order
to
delete
an
appointment
first,
we
need
to
know
if
it's
a
cyst
right,
so
we
get
first
information
the
deployment
and
then
we
delete
it.
B
B
So
these
are
the
birds
that
will
me
and
what,
for
this
command
or
for
disposing
a
deployment
to
create
a
service,
I
think
I'm,
saying
itself
to
create
a
service
exactly,
but
also
we
need
to
be
able
to
get
the
information
to
the
deployment
in
order
to
see
if
it's
assist
or
not,
and
then
we
create
the
services
are
the
two
operations
in
order
for
this
command
to
work
under
on
the
last
one.
This
is
not
without
some,
if
is
maybe
more
difficult.
Please
command
me
for
the
n-terminal
part
or
some
undistributing
one
command
right.
B
For
this
specific
case.
Of
course
we
mean
we
may
need
to
be
able
to
get
information
from
pots
so
for
the
object
botany
to
get
it,
but
also
I
need
another
thing
that
allows
me
to
enter
the
the
the
part
of
the
containers,
which
is
basically
be
able
to
solve
this
one
to
get
the
pots
and
to
be
able
to
create
this
kind
of
we
source.
So,
yes,
this
may
be
a
more
difficult
one,
but
basically,
if
you
go
in
the
API,
you
will
see
which
operations
you
need.
B
So
basically
you
need
to
so
entering
the
the
pot.
First
hitting
command
is
like
creating
an
exact
element,
so
it's
like
creating
an
execution,
it
kind
of
makes
sense.
Actually,
so
you
need
to
be
able
to
say,
seen
information
from
the
table
and
be
able
to
create
an
execution,
so
I
hope
with
that.
With
this
we
have
more
ideas
of
how
the
birth
the
birth
work.
B
Well,
so
I'm
going
back
again,
so
we
have
a
better
user.
We
see
that
this
use
we're
using
certificates
which
contain
information
about
the
credentials
of
the
user.
They
use
another
group
that
it
belongs
to.
Then
we
try
to
access
the
cluster
with
these
mutated.
You
simply
couldn't
do
anything,
so
we
need
to
create
rules,
document
real
service
on
set
of
resources
and
some
operations.
It
could
be
done
mixed,
a
internal
space
where
rows
row
bindings
and
in
the
whole
cluster,
so
cluster
role
and
cluster
all
bindings-
and
this
is
where
we
are
now
so.
B
B
So
what
do
we
have
now?
We
know
that
the
user
can
create
everything
and
do
pretty
much
anything
inside
the
test
namespace.
So
one
may
think.
Okay,
so
now
I
will
be
able
to
to
deploy
help
chart
inside
my
name
space
test.
Let's
see
if,
if
that's
possible,
so
I
I've
changed
to
test
on
the
wrong
and
I'm
going
to
install
one
of
their
be
Nami
charted
weekly
chart
in
my
cluster.
B
B
This
tiller
part
is
inside
the
queue
system.
Namespace
and,
as
you
can
see,
I
can
access
it.
I
can
because
I
have
to
get
privileges
inside
mine.
My
any
namespace,
thanks
to
the
class,
the
role
binding.
However,
you
can
see
I
can
get
all
the
details.
However,
that's
not
enough,
because
I
also
need
to
do
up
what's
gonna
pour
forwarding.
B
Some
of
you
may
be
familiar
with
it
with
the
kimchi
field
for
forward
which
allows
you
to
put
to
resume
just
like
we
do
with
SSH
tunnels
to
you
know
to
access
one
container
port
inside
from
pot
port
from
the
local
machine,
and
that's
something
you
need
to
do
with
helm
as
well.
So
I
need
to
be
able
to
forward
to
my
local
machine
that
T
have
until
our
ports,
so
I
don't
want
to
go
much
into
details
about
that.
B
Basically,
I
need
to
have
a
rule
that
allows
me
to
do
this
for
former
operation,
so
I'm
going
to
create
the
role
connected
to
my
domain
user
basically
allows
you
to
do
the
future
perform
or
anyone
more
details.
We
can
go,
then
the
Q&A,
but
on
to
this
I'm,
going
to
switch
to
the
administrator
and
I'm
going
to
allow
myself
to
do
this
operation.
So
now,
if
everything
is
correct
now
that
cannot
so
and.
B
Means
less
so
I'm
going
to
just
go
really
fast,
okay,
so,
basically
now
I
should
be
able
to
to
to
deploy
a
cluster.
Of
course,
I
can
do
it
and
in
principle,
I
should
be
able
I
shouldn't
be
able
to
deploy
in
another
namespaces
right.
So,
for
example,
if
you
want
to
install
in
the
default,
namespace
should
fail.
B
B
B
So
let
me
go
really
fast
to
what's
going
on
so
for
those
who
don't
know
again
helm
when
it
does
install
a
part
in
your
cluster.
That's
when
you
use,
for
example,
Henry
stole
this.
This
would
be
responsible
of
rendering
the
the
the
charts
and
the
planets
as
well
in
to
the
cluster.
So
it's
not
just
on
balloon
with
the
one
that
is
deploying
to
the
cluster.
It
is
the
mix
path.
So
this
is
the
one
there's
a
process
in
this
part
that
is
talking
to
the
kubernetes
api,
to
deploy
all
the
different
elements.
B
So
it's
not!
It's
not
me.
It
is
this
help
process,
so
so
so,
okay,
so
now,
suddenly
it's
complaining
because
it's
cont,
so
it's
getting,
are
much
issues
after
with
the
point
helm,
because
it
can't
access
the
AP
there,
the
API
it
can't
it's
not
allowed
to
do
this
operation
so
really
fast.
The
question
is:
how
do
we
configure
this,
because
in
the
case
of
human
users,
it
seemed
clear
we
have
a
certificate
with
all
the
day,
attorneys
to
sign
it,
and
it
worked
like
that.
B
But
what,
in
the
case
of
processes
inside
parts,
so
do
we
need
to
also
give
certificates
is
how
does
it
work
well
for
the
case
of
processes
in
part,
what
we
have
is
an
object
called
service
account.
So
I
said
before
that
regular
users
and
errant
user
did
not
have
a
communities
object
to
create
the
lead.
That
was
true
for
all
of
these
kind
of
inserts,
but
the
only
exception
is
the
processes.
B
B
So
how
do
we
create
this
kind
of
objects?
It's
really
simple.
This
just
will
specify
a
name,
a
name
space
under
the
hood.
It
will
create
an
API
token
and
it
will
be
stored
in
the
cluster.
No,
this
done
before
the
on
the
certificates
will
store
outside
the
cluster.
In
this
case,
we
services
account
service
accounts.
B
Basically,
when
you,
how
do
you
configure
service
accounting
in
the
pointman
sound
post?
Basically,
instead
of
pod,
to
specify
which
service
account
it
will
be
used.
So
if
a
pot
needs
to
assess
the
governance
API,
then
you
need
to
specify
a
service
account
inside
the
part
of
the
deployment
and,
if
not,
we'll,
use
the
default
and
that's
what
happened
with
whenever
we
deployed
helm.
Basically,
what
happen
is
that
when
I
redeployed
it
will
use
the
default
service
account
and
therefore
it
wasn't
able
to
do
anything
so
and
that's
to
finish.
A
B
B
So,
in
principle,
one
would
be
tempted
to
use
this
kind
of
law
bindings
so
to
take
the
service
account
tiller,
saying
this
case
wants
to
maybe
like
that,
and
we
will
grant
the
cluster
admin
cluster
role
and,
if
you
remember
before,
the
cluster
demean
cluster
wall
was
one
of
the
default
that
pretty
much
allow
any
kind
of
operation.
And,
yes
that
did
work
right,
but
what
happened
suddenly,
as
a
user
condition
alone,
I
was
able
to
deploy
in
any
namespace
breaking
the
whole
our
mock.
B
So
we
must
be
really
careful
with
when
for
something
like
a
Sohail.
How
do
you
configure
our
bot,
because
it's
something
new
or
you're,
creating
a
like
a
hole
in
your
security,
if
not
used
correctly
so
I,
don't
think
we
have
much
time
but
the
rest
of
her.
Basically,
what
was
going
to
do
is
just
to
create
the.
B
B
So
with
with
that,
then
the
children
will
have
a
proper
privileges
in
this
case,
potentially
dangerous
that
we've
seen
before,
but
what's
clothing,
but
now
it
will
do
so
with
that
we
underscore
all
the
elements
of
in
our
back
subjects,
not
only
revolution
for
service
accounts
on
how
to
connect
everything
with
roles
from
role
bindings.
So
I
don't
think
we
have
much
pretty
sorry,
sorry
for
the
team
any
longer,
but
basically
I'm,
just
to
wrap
up
I'm
open
to
questions
yeah.
A
So
what
we're
gonna
do,
because
we're
out
of
time
for
questions
is:
we've
captured
all
the
questions
in
the
Q&A
and
zoom.
If
you
have
any
left,
please
answer
them
in
there.
Just
click
on
the
Q&A
button
at
the
bottom
and
what
we're
going
to
do
is
gather
up
all
the
questions.
Have
you
answer
them
and
then
send
them
back
out
because
we're
out
of
time?
Okay,.
B
A
Thank
you
for
joining
us
today
to
learn
something
about
our
Mac
and
kubernetes.
This
webinar,
recording
and
all
slides
will
be
online
later
on
today
and
we'll
try
to
get
those
questions
answered
and
how
to
use
that's
possible
and
we're
looking
forward
to
seeing
you
at
a
future
CN
CF
webinar.
Thank
you
and
have
a
nice
day.