<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Rbac on marktaguiad.dev</title>
    <link>https://marktaguiad.dev/tags/rbac/</link>
    <description>Recent content in Rbac on marktaguiad.dev</description>
    <generator>Hugo</generator>
    <language>en-us</language>
    <managingEditor>marktaguiad@marktaguiad.dev (Mark Taguiad)</managingEditor>
    <webMaster>marktaguiad@marktaguiad.dev (Mark Taguiad)</webMaster>
    <copyright>marktaguiad.dev</copyright>
    <lastBuildDate>Sat, 11 Apr 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://marktaguiad.dev/tags/rbac/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Kubernetes Multi-Tenancy</title>
      <link>https://marktaguiad.dev/post/k8s-multitenant/</link>
      <pubDate>Sat, 11 Apr 2026 00:00:00 +0000</pubDate><author>marktaguiad@marktaguiad.dev (Mark Taguiad)</author>
      <guid>https://marktaguiad.dev/post/k8s-multitenant/</guid>
      <description>&lt;img&#xA;  class=&#34;theme-image&#34;&#xA;  src=&#34;https://marktaguiad.dev/images/devops/k8s-notes/k8s-multitenant-001.png&#34;&#xA;  data-light=&#34;/images/devops/k8s-notes/k8s-multitenant-001.png&#34;&#xA;  data-dark=&#34;/images/devops/k8s-notes/k8s-multitenant-dark-001.png&#34;&#xA;  alt=&#34;Architecture Diagram&#34;&#xA;&gt;&#xA;&#xA;&lt;p&gt;Multi-tenancy in Kubernetes is the practice of running multiple users, teams, or customers (tenants) on a shared cluster while keeping them isolated, secure, and fairly resourced.&lt;/p&gt;&#xA;&lt;p&gt;At first glance, it sounds simple—just create namespaces and you’re done. In reality, building a safe multi-tenant platform requires layering multiple controls together.&lt;/p&gt;&#xA;&lt;h1 id=&#34;table-of-contents&#34;&gt;Table of Contents&lt;/h1&gt;&#xA;&lt;nav id=&#34;TableOfContents&#34;&gt;&#xA;  &lt;ol&gt;&#xA;    &lt;li&gt;&lt;a href=&#34;#overview&#34;&gt;Overview&lt;/a&gt;&lt;/li&gt;&#xA;    &lt;li&gt;&lt;a href=&#34;#user-creation&#34;&gt;User Creation&lt;/a&gt;&lt;/li&gt;&#xA;    &lt;li&gt;&lt;a href=&#34;#access-control&#34;&gt;Access Control&lt;/a&gt;&lt;/li&gt;&#xA;    &lt;li&gt;&lt;a href=&#34;#resource-allocation&#34;&gt;Resource Allocation&lt;/a&gt;&lt;/li&gt;&#xA;    &lt;li&gt;&lt;a href=&#34;#networkpolicy&#34;&gt;NetworkPolicy&lt;/a&gt;&lt;/li&gt;&#xA;  &lt;/ol&gt;&#xA;&lt;/nav&gt;&#xA;&lt;h3 id=&#34;overview&#34;&gt;Overview&lt;/h3&gt;&#xA;&lt;p&gt;Let&amp;rsquo;s assign team &lt;code&gt;web-dev&lt;/code&gt; to namespace &lt;code&gt;web&lt;/code&gt;.&lt;/p&gt;</description>
    </item>
    <item>
      <title>Kubernetes RBAC</title>
      <link>https://marktaguiad.dev/post/k8s-rbac/</link>
      <pubDate>Tue, 07 Apr 2026 00:00:00 +0000</pubDate><author>marktaguiad@marktaguiad.dev (Mark Taguiad)</author>
      <guid>https://marktaguiad.dev/post/k8s-rbac/</guid>
      <description>&lt;img&#xA;  class=&#34;theme-image&#34;&#xA;  src=&#34;https://marktaguiad.dev/images/devops/k8s-notes/k8s-rbac-001.png&#34;&#xA;  data-light=&#34;/images/devops/k8s-notes/k8s-rbac-001.png&#34;&#xA;  data-dark=&#34;/images/devops/k8s-notes/k8s-rbac-dark-001.png&#34;&#xA;  alt=&#34;Architecture Diagram&#34;&#xA;&gt;&#xA;&#xA;&lt;p&gt;Role‑Based Access Control (RBAC) is a core part of Kubernetes security — it lets you grant precise permissions to users, groups, or service accounts so they can do only what they’re allowed. In this hands‑on guide, we’ll go step‑by‑step through:&lt;/p&gt;&#xA;&lt;ul&gt;&#xA;&lt;li&gt;creating a Kubernetes user&lt;/li&gt;&#xA;&lt;li&gt;assigning permissions using RBAC&lt;/li&gt;&#xA;&lt;li&gt;testing permissions&lt;/li&gt;&#xA;&lt;/ul&gt;&#xA;&lt;p&gt;Read more on this topic &lt;a href=&#34;https://kubernetes.io/docs/reference/access-authn-authz/rbac/&#34;&gt;here&lt;/a&gt;.&lt;/p&gt;&#xA;&lt;h1 id=&#34;table-of-contents&#34;&gt;Table of Contents&lt;/h1&gt;&#xA;&lt;nav id=&#34;TableOfContents&#34;&gt;&#xA;  &lt;ol&gt;&#xA;    &lt;li&gt;&lt;a href=&#34;#create-kubernetes-user&#34;&gt;Create Kubernetes User&lt;/a&gt;&#xA;      &lt;ol&gt;&#xA;        &lt;li&gt;&lt;a href=&#34;#script&#34;&gt;Script&lt;/a&gt;&lt;/li&gt;&#xA;        &lt;li&gt;&lt;a href=&#34;#create-user&#34;&gt;Create User&lt;/a&gt;&lt;/li&gt;&#xA;        &lt;li&gt;&lt;a href=&#34;#verify&#34;&gt;Verify&lt;/a&gt;&lt;/li&gt;&#xA;        &lt;li&gt;&lt;a href=&#34;#test&#34;&gt;Test&lt;/a&gt;&lt;/li&gt;&#xA;        &lt;li&gt;&lt;a href=&#34;#delete-user&#34;&gt;Delete User&lt;/a&gt;&lt;/li&gt;&#xA;      &lt;/ol&gt;&#xA;    &lt;/li&gt;&#xA;    &lt;li&gt;&lt;a href=&#34;#roles--rolebindings&#34;&gt;Roles &amp;amp; RoleBindings&lt;/a&gt;&lt;/li&gt;&#xA;    &lt;li&gt;&lt;a href=&#34;#cluster-roles--cluster-role-bindings&#34;&gt;Cluster Roles &amp;amp; Cluster Role Bindings&lt;/a&gt;&lt;/li&gt;&#xA;  &lt;/ol&gt;&#xA;&lt;/nav&gt;&#xA;&lt;h3 id=&#34;create-kubernetes-user&#34;&gt;Create Kubernetes User&lt;/h3&gt;&#xA;&lt;p&gt;Let&amp;rsquo;s automate this process-in the perspective of an admin. Use the script to create user.&lt;/p&gt;</description>
    </item>
    <item>
      <title>Istio: mTLS and RBAC</title>
      <link>https://marktaguiad.dev/post/k8s-istio-dos/</link>
      <pubDate>Tue, 24 Mar 2026 00:00:00 +0000</pubDate><author>marktaguiad@marktaguiad.dev (Mark Taguiad)</author>
      <guid>https://marktaguiad.dev/post/k8s-istio-dos/</guid>
      <description>&lt;p&gt;Continuation of Kubernetes Istio, this time we&amp;rsquo;ll focus on Security.&lt;/p&gt;&#xA;&lt;h1 id=&#34;table-of-contents&#34;&gt;Table of Contents&lt;/h1&gt;&#xA;&lt;nav id=&#34;TableOfContents&#34;&gt;&#xA;  &lt;ol&gt;&#xA;    &lt;li&gt;&lt;a href=&#34;#security&#34;&gt;Security&lt;/a&gt;&#xA;      &lt;ol&gt;&#xA;        &lt;li&gt;&lt;a href=&#34;#mtls-mutual-tls&#34;&gt;mTLS (Mutual TLS)&lt;/a&gt;&lt;/li&gt;&#xA;        &lt;li&gt;&lt;a href=&#34;#authorizationpolicy-rbac&#34;&gt;AuthorizationPolicy (RBAC)&lt;/a&gt;&lt;/li&gt;&#xA;      &lt;/ol&gt;&#xA;    &lt;/li&gt;&#xA;  &lt;/ol&gt;&#xA;&lt;/nav&gt;&#xA;&lt;h3 id=&#34;security&#34;&gt;Security&lt;/h3&gt;&#xA;&lt;h4 id=&#34;mtls-mutual-tls&#34;&gt;mTLS (Mutual TLS)&lt;/h4&gt;&#xA;&lt;p&gt;This will ensure that service-to-service traffic is encrypted and authenticated.&lt;/p&gt;&#xA;&lt;p&gt;Istio allows you to configure three main modes per namespace, workload, or globally:&lt;/p&gt;&#xA;&lt;table&gt;&#xA;  &lt;thead&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;th&gt;Mode&lt;/th&gt;&#xA;          &lt;th&gt;Behavior&lt;/th&gt;&#xA;          &lt;th&gt;When to Use&lt;/th&gt;&#xA;      &lt;/tr&gt;&#xA;  &lt;/thead&gt;&#xA;  &lt;tbody&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;td&gt;&lt;strong&gt;STRICT&lt;/strong&gt;&lt;/td&gt;&#xA;          &lt;td&gt;Only allows &lt;strong&gt;mTLS-encrypted traffic&lt;/strong&gt;. Plain HTTP connections are rejected.&lt;/td&gt;&#xA;          &lt;td&gt;Best for production when you want &lt;strong&gt;full security&lt;/strong&gt; between services.&lt;/td&gt;&#xA;      &lt;/tr&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;td&gt;&lt;strong&gt;PERMISSIVE&lt;/strong&gt;&lt;/td&gt;&#xA;          &lt;td&gt;Accepts both mTLS-encrypted and plain HTTP traffic.&lt;/td&gt;&#xA;          &lt;td&gt;Useful during &lt;strong&gt;gradual migration&lt;/strong&gt; to mTLS. Old workloads can still communicate without encryption.&lt;/td&gt;&#xA;      &lt;/tr&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;td&gt;&lt;strong&gt;DISABLE&lt;/strong&gt;&lt;/td&gt;&#xA;          &lt;td&gt;Does not use mTLS at all.&lt;/td&gt;&#xA;          &lt;td&gt;For testing, legacy workloads, or non-critical traffic.&lt;/td&gt;&#xA;      &lt;/tr&gt;&#xA;  &lt;/tbody&gt;&#xA;&lt;/table&gt;&#xA;&lt;p&gt;You might get confused with the HTTPS traffic, it just mean that all traffic are converted by istio envoy to mTLS. So as long as the request is going through first the sidecar then it is valid.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
