1.Configure-RBAC.md

1. Configure RBAC

RBAC is not activated by default. Although pod security policies requires to have this configuration enabled, it's highly recommended enable this option by default on any kubernetes cluster. To activate RBAC in microk8s you must follow this procedure:

• Modify /var/snap/microk8s/current/args/kube-apiserver to set the --authorization-mode to RBAC.
• Restart the kube-apiserver: sudo systemctl restart snap.microk8s.daemon-apiserver.
• Create a cluster role binding granting cluster admin permissions to default serviceaccount in kube-system namespace: kubectl apply -f rbac/cluster-role-binding-default-sa-at-kube-system-as-cluster-admin.yml.

Now you should have the following outputs:

$ grep "authorization-mode" /var/snap/microk8s/current/args/kube-apiserver 
--authorization-mode=RBAC
$ kubectl get clusterrolebinding -o yaml default-sa-at-kube-system-as-cluster-admin
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"default-sa-at-kube-system-as-cluster-admin"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"cluster-admin"},"subjects":[{"kind":"ServiceAccount","name":"default","namespace":"kube-system"}]}
  creationTimestamp: "2019-01-23T16:24:30Z"
  name: default-sa-at-kube-system-as-cluster-admin
  resourceVersion: "23736"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/default-sa-at-kube-system-as-cluster-admin
  uid: 5c61e84b-1f2b-11e9-af0b-9cb6d0e7e121
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: default
  namespace: kube-system