RBAC Reference

For facilitating role-based access for users, K10 leverages Kubernetes ClusterRoles and Bindings. Currently, the K10 multi-cluster global manager is only available to admin users and requires additional RBAC roles and bindings.

K10 Multi-Cluster Admin

The k10-mc-admin ClusterRole is added for Distributions, Clusters, K10 Config, Secrets and Multi-Cluster RBAC configuration access in the K10 multi-cluster namespace.

Note

k10-mc-admin will be installed under the name <release_name>-mc-admin. This ClusterRole is not configurable and is installed with K10.

The following is an example of the k10-mc-admin ClusterRole:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: k10-mc-admin
rules:
- apiGroups:
  - config.kio.kasten.io
  - dist.kio.kasten.io
  - auth.kio.kasten.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - '*'

K10 Multi-Cluster Admin Binding

The k10-mc-admin ClusterRole needs a RoleBinding in the K10 multi-cluster namespace.

K10 creates a RoleBinding for a default Group k10:admins in the K10 multi-cluster namespace. Admin users can be added to this Group and will be able to use the above k10-mc-admin ClusterRole.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: k10-k10-mc-admin
  namespace: kasten-io-mc
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k10-mc-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: k10:admins

To bind the k10-mc-admin ClusterRole to a User, use the following command

$ kubectl create rolebinding <name> --clusterrole=k10-mc-admin \
    --namespace=kasten-io-mc \
    --user=<name>

The above kubectl command will create the following RoleBinding object

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: k10-k10-mc-admin
  namespace: kasten-io-mc
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k10-mc-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: k10-mc-admin

Alternatively, you can also bind the ClusterRole to a ServiceAccount.

$ kubectl create rolebinding <name> --clusterrole=k10-mc-admin \
    --namespace=kasten-io-mc \
    --serviceaccount=<serviceaccount_namespace>:<serviceaccount_name>

The above kubectl command will create the following RoleBinding object

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: k10-k10-mc-admin
  namespace: kasten-io-mc
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k10-mc-admin
subjects:
- kind: ServiceAccount
  name: k10-mc-admin
  namespace: kasten-io-mc

K10 Multi-Cluster User

For non-admin users of K10 Multi-Cluster Manager, admins can allow cluster-level access, without giving access to configuration or admin-only operations.

The following rules can be applied to any existing user's ClusterRole or a new ClusterRole can be created.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: k10-mc-user
rules:
- apiGroups:
  - auth.kio.kasten.io
  - config.kio.kasten.io
  - dist.kio.kasten.io
  resources:
  - '*'
  verbs:
  - get
  - list

Note

Above ClusterRole will give access to ALL clusters, for a more granular access, use resourceNames option.

To bind the k10-mc-user ClusterRole to a User, use the following command

$ kubectl create rolebinding <name> --clusterrole=k10-mc-user \
    --namespace=kasten-io-mc \
    --user=<name>

To bind the k10-mc-user ClusterRole to a ServiceAccount, use the following command

$ kubectl create rolebinding <name> --clusterrole=k10-mc-user \
    --namespace=kasten-io-mc \
    --serviceaccount=<serviceaccount_namespace>:<serviceaccount_name>

K10 Multi-Cluster User Binding

Once users are bound to clusters using the cluster role or rules defined above, a K10ClusterRoleBinding is required to define the level of access within the clusters.

K10ClusterRoles

These are pre-defined K10ClusterRoles already installed with K10. k10-multi-cluster-admin K10ClusterRole has access defined in k10-admin ClusterRole, k10-multi-cluster-basic K10ClusterRole has access defined in k10-basic ClusterRole, and k10-multi-cluster-config-view K10ClusterRole has access defined in k10-config-view ClusterRole. More about k10-admin, k10-basic, and k10-config-view can be found at K10 RBAC.

K10ClusterRoleBindings

K10ClusterRoleBindings are used for defining who (users/groups) have what (K10ClusterRole) access in which clusters. They are K10 Custom Resources that can be created in the primary cluster to give users/groups access to all or some secondary clusters.

K10 is installed with three pre-defined K10ClusterRoles that correspond to k10-admin, k10-basic and k10-config-view ClusterRoles.

The following example illustrates how to create a K10ClusterRoleBinding for user user1, using k10-multi-cluster-admin K10ClusterRole, for cluster cluster1.

$ cat > sample-k10ClusterRoleBinding.yaml <<EOF
apiVersion: auth.kio.kasten.io/v1alpha1
kind: K10ClusterRoleBinding
metadata:
  name: user1-cluster1
  namespace: kasten-io-mc
spec:
  k10ClusterRole: k10-multi-cluster-admin
  clusters:
   - name: cluster1
  subjects:
   - kind: User
     apiGroup: rbac.authorization.k8s.io
     name: user1
EOF

$ kubectl create -f sample-k10ClusterRoleBinding.yaml
k10clusterrolebinding.auth.kio.kasten.io/user1-cluster1 created

For service account users, a prefix of system:serviceaccount:<sa_namespace>: is needed for adding such users.

The following example illustrates how to create a K10ClusterRoleBinding for user sa1, using k10-multi-cluster-admin K10ClusterRole, for cluster cluster1.

$ cat > sample-k10ClusterRoleBinding.yaml <<EOF
apiVersion: auth.kio.kasten.io/v1alpha1
kind: K10ClusterRoleBinding
metadata:
  name: sa1-cluster1
  namespace: kasten-io-mc
spec:
  k10ClusterRole: k10-multi-cluster-admin
  clusters:
   - name: cluster1
  subjects:
   - kind: User
     apiGroup: rbac.authorization.k8s.io
     name:  system:serviceaccount:sa_namespace:sa1
EOF

$ kubectl create -f sample-k10ClusterRoleBinding.yaml
k10clusterrolebinding.auth.kio.kasten.io/sa1-cluster1 created

K10ClusterRoleBindings API Type

The following is a complete specification of the K10ClusterRoleBinding API.

# Standard Kubernetes API Version declaration. Required.
apiVersion: auth.kio.kasten.io/v1alpha1
# Standard Kubernetes Kind declaration. Required.
kind: K10ClusterRoleBinding
metadata:
  # K10ClusterRoleBinding name. May be any valid Kubernetes object name. Required.
  # K10ClusterRoleBinding name is not mutable once created.
  name: k10ClusterRoleBinding-example
  # K10ClusterRoleBinding names must be unique and as an alternative to name above
  # one can take advantage of Kubernetes auto name generation
  generateName: k10ClusterRoleBinding-
  # K10ClusterRoleBinding namespace. Required.
  # Must be k10 multi-cluster namespaces
  namespace: kasten-io-mc
# K10ClusterRoleBinding spec. Required.
spec:
  # k10ClusterRole name. Required
  # Choose from existing k10ClusterRoles in the system.
  # Can be oneOf k10-multi-cluster-admin, k10-multi-cluster-basic, k10-multi-cluster-config-view
  k10ClusterRole: k10-multi-cluster-admin
  # List of cluster selectors. Required.
  # Either name or selector must be specified. To select all clusters, an
  # empty selector may be used.
  clusters:
   - name: <cluster_name> # cluster1
   - selector: <selector_string> # "foo=bar"
  # List of subjects. Required.
  # Either a user or groups
  subjects:
   - kind: User
     apiGroup: rbac.authorization.k8s.io
     name: user1
   - kind: Groups
     apiGroup: rbac.authorization.k8s.io
     name: group1